Yahoo is expected to confirm this week what Recode describes as a “widespread and serious” data breach affecting an estimated 200 million users. In light of this news, IT security experts commented below.
Peter Galvin, Vice President of Strategy at Thales e-Security:
“As a result of this hack, the personal data of millions of Yahoo! users has now been exposed on the dark web and made available to anyone who seeks it – most likely those with malicious intent. Once this data falls into the hands of these would-be criminals, users may worryingly find themselves as the victims of identity fraud or threats of ransom.
As data breaches of this scale continue to hit the headlines, it is critical that businesses change the way they think about data protection, and broaden their mind-set beyond the classic definition of what data is considered to be sensitive. It’s never been more critical for businesses to extend robust encryption policies to cover all personally identifiable information of customers so that the data is rendered unreadable and worthless to those with malicious intent.”
“Protecting a massive trove of user data is one of the biggest challenges that all businesses running web applications face. In the case of Yahoo!, there’s a lot of interesting data aside from password hashes – potentially a lot of personally identifiable information (PII) per user. I think we have to remind ourselves how many properties and brands Yahoo! operates and multiply that by the number of data points the Internet company collects from its user base.”
“If the Yahoo hack is indeed confirmed, it only emphasizes the critical importance of maintaining strong authentication measures in both personal and professional web applications. With so many accounts potentially open for hacker use in distributing advanced malware, a data breach of this scale will no doubt have a far reaching impact on malware distribution worldwide. We recommend changing passwords immediately, and consider using a second factor authentication to ensure that accounts are not being used by malware spammers. Because enterprise assets such as laptops are used in blurred fashion between personal and professional everyday in our daily lives, it also underscores the criticality of protecting organizations from the network core to the outer edges against advanced persistent threats. A hack like the alleged Yahoo! one can provide a very large distribution hub through legitimate accounts on a huge scale and for years to come.”
“200 million user accounts is a significant breach. Since we don’t have the specifics yet, it will be hard to say how everything happened. What we do know is that accounts that have been breached have value. The reason they have value is that people use the same password for multiple sites. The industry has been warning users for years that they need different complex passwords for each account they use online. The problem is that many consumers have dozens of accounts and remembering that many passwords is hard.
“So again, what is the value of the breached accounts to the dark web and hacker community? The true value comes from the ability for attackers to socially engineer attacks specifically targeting breached victims. They have personal identifiable information most of the time, such as names, address, phone numbers, and email addresses. Some breaches have even included question and answer profiles for “I forgot my password” which can quickly allow an attacker to compromise victims’ email accounts. We may not realize it, but when an attacker gains control of your email, they in essence own your identity. The attacker that buys the breached credentials will dictate what level of mischief or flat out criminal activity that will ensue. Keep in mind, some attackers will design spoofing attacks to try and get at higher profile information within an organization, while others will directly attack other websites looking for the same username/password combination they obtained from the breach. The bottom line here is: if you have a current Yahoo account or have ever had a Yahoo account; change all of your passwords – pronto.”
“Unfortunately these large scale incidents against high profile organisations are becoming the norm. The reason is that all attackers want the same two things; credentials and data.
“Credentials are the mechanism to gain access to the data, and data because it has value. Therefore, it makes sense that organizations that hold vast amounts of credentials, such as Yahoo, are prime targets. Even if only 1% of the compromised credentials have access to data of any value, that’s still a full 2 million accounts worth of data.
“The breached credentials will provide access to data that likely contains personally identifiable information. This will allow the perpetrator access to bank accounts, credit facilities, maybe even private content such as we have seen with ‘celebrity’ home movies. All data that bad actors are prepared to pay large sums for.
“If you think about it, personal data may often have a larger dollar value than many businesses do.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.