igor - Fotolia

Yahoo under fire over data breach affecting 500 million users

Yahoo comes under fire for not detecting and notifying users sooner of the biggest breach of personal details to date

Yahoo has come under fire for not informing users sooner of a data breach in 2014 that exposed personal details of “at least” 500 million users.

The breach is believed to be the biggest publicly reported breach of its type to date, overtaking the previous record of just over 359 million user details exposed in a 2008 breach at MySpace.

Yahoo has also been criticised for lax security processes for taking so long to detect and confirm the breach internally and for failing to encrypt all security questions and answers.

The UK’s privacy watchdog, the Information Commissioner’s Office (ICO) has indicated that it will be investigating the breach to understand the impact on UK citizens.

Information Commissioner Elizabeth Denham said the number of people affected by the breach is “staggering” and demonstrates just how severe the consequences of a security hack can be.

“The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that.

“We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find,” she said. 

The first public indications of a breach at Yahoo emerged in August 2016, when a hacker known as “Peace” was reportedly attempting to sell data from 200 million Yahoo accounts.

The internet firm has now confirmed that a “recent investigation” revealed that the compromised data may have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and some encrypted or unencrypted security questions and answers.

Those investigating the breach say the compromised data does not appear to have included payment card data, or bank account information.

Yahoo said the breach appears to have been carried out by a “state-sponsored actor” but there is no evidence the hackers are still in the Yahoo network and the company is working closely with law enforcement.

The company is notifying all potentially affected users and urging them to change their passwords and to consider using Yahoo Account Key, an authentication tool designed to eliminate passwords.

Read more about data breaches

Potentially affected users are also being advised to change their password and security questions and answers for any other accounts using the same information used for their Yahoo account.

Yahoo has invalidated unencrypted security questions and answers so they cannot be used to access an account.

“An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries,” said Bob Lord, chief information security officer at Yahoo.

“Through strategic proactive detection initiatives and active response to unauthorised access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure,” he wrote in a blog post.

Businesses must ‘learn from mistakes’

While Yahoo has confirmed the breach took place in late 2014, it has not made it clear exactly when it became aware of the breach, said Keatron Evans, senior security researcher at Blink Digital Security.

“If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach? This slow response could become a PR nightmare that damages the company’s reputation,” he said.

“It goes to show how difficult it can be to determine the root cause of an attack that happened months or even years in the past without the right training and tools.”

The one thing that is clear at this point, said Evans, is that all enterprises need to learn from Yahoo’s mistakes by putting in place a robust post-breach remediation plan that has the tools to investigate breaches faster.

“There are appliances in the market that help to automate and speed up the forensics process, so no company of Yahoo’s size has the luxury of leaving customers hanging for months without adequate information or a plan for corrective action,” said Evans.

Troy Gill, manager of security research at AppRiver, said: “The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers’ data, and I don’t think we’ve seen the last confession yet.

“In fact, as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be more frequent and by all likelihood more impactful.
  
“I would be interested to know the findings by Yahoo when they allegedly investigated the 200 million records that were for sale on the dark web. Were the records confirmed as valid? If so, why did it take this long to inform users of the breach and why were no forced password resets issued prior?
 
“Keeping customers’ data secure should be a priority for all enterprises. A determined hacker can be difficult to detect, but organisations need to commit to hardening themselves to these types of attacks. This breach serves as a stark warning to all organisations that no company is too big or too small a target,” he said.

Ignorance is not the answer

Michael Lipinski, CISO and chief security strategist at Securonix, said the Yahoo breach is the perfect example that some organisations are already breached, but just do not know about it yet.

“We can’t keep accepting this level of ignorance as the best we can do,” he said, adding that he does not believe it took two years to find the breach.

“With the Verizon acquisition in process, there is this thing called due diligence that happens. I firmly believe that this is only now coming to light due to that due diligence. I believe someone knew about this earlier,” said Lipinski.

“Whether there was a cover up or if this breach was not uncovered for two years, this is a huge failure of the Yahoo team for not being able to identify this much earlier,” he said.

Lipinski said the Yahoo security team appears to be trying to deflect the risk to users by saying that passwords were hashed using bcrypt.

“Ask them how that worked out for Ashley Madison. They used the same salt hash and the hackers found a work around to the brute force methods of cracking the password,” he said.

Everday security practices

Jes Breslaw, European director of strategy at Delphix, said the Yahoo breach underlines the importance of embedding strong data security into everyday practices.

“Time and time again, we’ve seen the wide-ranging implications of a data breach. Consumer confidence takes a hit, reputations are left in tatters and fingers are pointed at those in charge of safeguarding the organisation from attack,” he said.

“Yet despite the growing number of global scandals, our research shows that only a quarter of data in the UK is masked. 



“Traditionally, organisations are very good at taking measures to protect data in their production systems, such as their websites, but neglect to protect the sensitive information held in their non-production environments where IT testing and development happens.

“In an evolving threat landscape, data conscious organisations need to ensure that data security is embedded into everyday practices. What’s needed is an irreversible process that obfuscates personal information but ensures dummy data is still available so organisations can prioritise security, but ensure development processes continue unhindered.

“Embracing new technologies – including those that combine data virtualisation with data masking – ensures that organisations can pseudonymise data once and guarantee that all subsequent copies have the same protective policies applied. This will future-proof the business from costly data breaches and ensure compliance while improving agility and time to market,” said Breslaw.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

This indicate just how apposite were the recommendations of the Culture Media and Sport Select Committee Cybersecurity Enquiry after the Talk Talk Enquiry.
http://www.computerweekly.com/blog/When-IT-Meets-Politics/CMS-Select-Committee-turns-Cybersecurity-reporting-focus-from-breaches-to-performance

The Department has yet to respond. It will be interesting to see how they do so, probably after the party conference season, given that the main recommendations were really for the new Information Commissioner - on how she uses her existing powers, let alone those to come under the GDPR.  
Cancel
Yahoo is a deserving target for fury here. They failed miserably. But the real anger should be directed to the companies that underfunded the coding and never bothered to close the gaping holes once they were found. This is no longer "interesting." It's a major security and financial (and political) problem that should never have been ignored.
Cancel
NCBerns should reserve his real fury for the professional bodies which have yet to mandate security by design in their qualifications. The BCS and IET have only recently included security as a mandatory component for the degree level courses they accredit - starting NEXT year.

There is NO excuse.

Failing to check for the vulnerability that enables SQL injections would have cost me $100 for every member of the department who found the loophole back in 1968 when I was STC Microwave and Line's first graduate IT apprentice (although I was actually called a "graduate engineer, first class").  Before systems went out for user acceptance testing any member of staff could "challenge" the system by putting down "ten bob" (effectively $10 current money). I would have to give them a fiver (effectively $100 current money) if they could crash it doing anything a user could do.  The chief programmer tended to go first and looking for loops that could be "opened up" in unintended ways was one of his standard hunts. One of my main tasks was to strip out unnecessary code so that parts explosions could be done over lunch on an IBM 360/40. Short circuiting unnecessary loops was an obvious, but potentially expensive solution. Then "computer science degrees" were invented in the 1970s and the embryonic "profession" stepped back a decade. Then can minis and it again stepped back a decade. Then came micros and it again ... then came ... blah di blah.          
Cancel
I was recently told that people only want “just enough,” and it’s a trend that I see all to often when people try to be more “agile” and produce software more quickly. Unfortunately, just enough is often not good enough.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...

SearchNetworking

SearchDataCenter

SearchDataManagement

Close