Following the news that Yahoo! announced that one billion of its user accounts were hacked in 2013, IT security experts from SailPoint, VASCO Data Security, Prevalent, Inc., STEALTHbits Technologies, Inc. and Avast commented below.
Kevin Cunningham, President and Founder at SailPoint:
“What this latest breach disclosure by Yahoo! underscores is an interesting trend where hackers are breaching user accounts, not necessarily to infiltrate corporate networks and applications, but to grab highly sensitive data hiding in email and other unstructured file stores. Think about all of the highly sensitive files that could be lurking in these breached Yahoo email accounts: incredibly sensitive tax or financial statements, personal healthcare data, even banking or credit card information.
“And that’s what hackers are after today: sensitive data that is ripe for the taking. With analysts estimating that unstructured data comprises 80% of all enterprise data today, this is an incredibly big challenge for companies today who lack proper visibility into the data stored there. Not only do companies struggle to understand what data even lives in these unstructured data stores, but because hackers often steal copies, it’s sometimes impossible to know what data was even taken. And, even if you identify and stop an attack, the data is still in the hands of the bad guys.
“What this means is that in 2017, not only will we see even more attacks targeting data stored in unstructured systems, but that it is critical that identity becomes the focal point for securing data stored in both corporate systems and unstructured databases, emails and files stores. Understanding who has access to your data, and how they are using that data is critical – no matter if that data lives in a corporate application or system, or in an unstructured system like email.”
John Gunn, VP of Communications at VASCO Data Security:
“Static passwords are the only internet technology that people are still trying to use more than 20 years after introduction. The scarier part of this disclosure is the revelation that security questions were also exposed. You can change your password after a breach, but you can’t change the name of your first school, favorite teacher, or first animal. Multifactor authentication is simple, effective, and easy to implement – so there is simply no reason for passwords to still be in use.”
Jeff Hill, Director of Product Management at Prevalent, Inc.:
“By far the most relevant and disquieting element of this story is that it took Yahoo – not exactly a backwater, technophobic organization – over 3 years to discover bad actors on its network exfiltrating billions of records. The lesson is clear: no organization is immune to compromise. What makes this a significant episode is not the breach itself, but the time-to-detection. Criminal actors can do significant damage in days and weeks; give them years, and all bets are off.”
Brad Bussie, CISSP, Director of Product Management at STEALTHbits Technologies, Inc.:
“What started as a report of 500 million user accounts with one breach has again grown to 1 billion user accounts in an unprecedented breach report. What is even more disturbing is that the 1 billion user breach happened in 2013, predating the 500 million we previous learned about. We know that accounts that have been breached have value.
“The reason they have value is that people use the same password for multiple sites. The industry has been warning users for years that they need different complex passwords for each account they use online. The problem is that many consumers have dozens of accounts and remembering multiple passwords is hard. So again, what is the value of the breached accounts to the dark web and hacker community? The true value comes from the ability for attackers to socially engineer techniques specifically targeting breached victims. They have personal identifiable information like name, address, phone number, and email address.
“This breach also includes question and answer profiles for “I forgot my password” which can quickly allow an attacker to compromise victims email accounts and know very personal information like mother’s maiden name and favorite pet. We may not realize it, but when an attacker gains control of your email they in essence own your identity. The attacker that buys the breached credentials will dictate what level of mischief or flat out criminal activity that will ensue. Keep in mind, some attackers will design spoofing attacks to try and get at higher profile information within an organization, while others will directly attack multiple websites looking for the same username/password combination they obtained from both breaches. If you were not a victim in the last breach, chances are you will be effected by this one.
“The bottom line here is if you have a current Yahoo account or have ever had a Yahoo account; change all of your passwords and question/answer profiles; pronto.”
Pete Turner, Consumer Security Expert at Avast:
“Consumers’ can no longer trust companies to keep their data safe, and the regular news stories hitting the headlines of data breaches is example of this. My tips for staying safe online are:
- Secure any online accounts, such as banking or social media, and not just your Yahoo! account by ensuring they aren’t sharing the same email and password combination. If you are re-using login details across multiple accounts, change them and use two-step authentication if possible, such as a password and a back-up phone number or other account.
- Be alert to suspicious activity on your accounts such as receiving any potentially fake emails. If your data is at risk for having been compromised, you should validate these as genuine by contacting the company that sent them directly or visiting their website before taking any of the action suggested by the email.
- Finally, as you would expect, I always recommend having a good internet security product on your PC or mobile devices. Whether you use a laptop or a tablet to access your online accounts, you should always ensure you are as protected as possible against any hacks, phishing tricks or spam emails because as we have seen, we can’t rely on other people to keep us safe online.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.