sb-eu logo
Story image

Yahoo's colossal security breach - experts give their opinions

04 Oct 2017

The latest news from Yahoo is certainly nothing to cheer about.

The Internet giant has announced that it wasn’t some accounts that were hacked, it was every single one – all three billion of them.

To provide some reference, winding back to December 2016, Yahoo announced that based on its analysis of data files provided by law enforcement, the company believed that an unauthorised party stole data associated with certain user accounts in August 2013.

At the time this was staggering, as the number of hacked user accounts was put somewhere around one billion. This new eye-watering figure marks a three-fold increase over the initial estimate.

The disclosure comes just four months after Verizon acquired Yahoo's core internet assets for US$4.48 billion, which was already reduced thanks to the breach.

In a statement on its site, Yahoo says for affected accounts the stolen user information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

A number of experts have stepped forward with commentary following Yahoo’s latest announcement, including:

Rich Campagna, CEO at Bitglass

“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorised access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented.

It’s difficult to imagine any circumstance in which an organisation committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate three billion records without setting off a single actionable alarm.

When the deal between Verizon and Yahoo was initially announced, we saw the direct impact that the breach had on the price of the acquisition. This goes to show that a seemingly small gap in security can be devastating and have prolonged business impacts.”

Thomas Fischer, global security advocate at Digital Guardian

“The issue here is that account details were compromised without the victims being alerted, leaving them vulnerable to phishing attacks and other forms of social engineering over the last four years.

Mass data breaches like this are a treasure trove for malicious attackers. Using the compromised login details, hackers may have attempted to hijack the email accounts to steal more data, or target the victims’ friends, family and place of work."

Ilia Kolochenko, CEO of High-Tech Bridge

“Taking into consideration that the integrity of Yahoo user accounts was compromised, one can reasonably infer that Yahoo ignored the fundamental principles of access segregation, continuous security monitoring and related security processes.

Therefore, it’s a bit hard to believe that sensitive information related to these accounts remained safe. Moreover, even hashed passwords can be bruteforced and then leveraged by the attackers. Information like date of birth or answer to secret question(s) can be a universal door-opener for cybercriminals. Anyway, Yahoo has already learned a very hard lesson and served an example to others that cybersecurity is pivotal for digital business.”

Stephen Moore, chief security strategist at Exabeam

“Large-scale breaches like this have driven a greater focus on behavioural analytics over the last couple of years. This is because it can help combat attempts to exfiltrate data by notifying the security team when someone is doing something that is unusual and risky – even when that activity is out of context, both on an individual basis and compared to peers.

With behavioural analytics combined with machine learning, this actionable information should be available in a couple clicks; not after an extended period of time."

Story image
Illumio launches Zero Trust endpoint protection solution for our digital, remote world
“As organisations were forced to transform overnight to allow for remote work, a host of endpoint security issues that have either been ignored or invisible until now were brought to the forefront."More
Story image
Rackspace and Cloudflare join forces for managed edge security
Rackspace and Cloudflare join forces for managed edge security The solution includes a web application firewall, DDoS protection, DNS services and a global content delivery network, backed by 24/7 support.More
Link image
Improved fire safety to protect your valuable equipment
Don’t take the risk – the 70 bar SAPPHIRE PLUS system has been specifically developed to help suppress fires quickly and easily in areas with valuable equipment, where other technologies could be less effective.More
Story image
Gartner recognises Pulse Secure for Zero Trust Network Access solution
In the market guide, Gartner states that ZTNA augments traditional VPN technologies for application access, and removes the excessive trust once required to allow employees and partners to connect and collaborate. More
Story image
New channel leader for LogicMonitor APAC
Swapnil Shah heads to LogicMonitor after holding key roles at global systems integrators Infosys and Tech Mahindra.More
Story image
State-based cyber attack targeting Australian government and businesses
Prime Minister Scott Morrison told media on Friday morning that a 'malicious' attack by a state-based cyber actor is underway in the country.More