igor - Fotolia

Yahoo under fire over data breach affecting 500 million users

Yahoo comes under fire for not detecting and notifying users sooner of the biggest breach of personal details to date

Yahoo has come under fire for not informing users sooner of a data breach in 2014 that exposed personal details of “at least” 500 million users.

The breach is believed to be the biggest publicly reported breach of its type to date, overtaking the previous record of just over 359 million user details exposed in a 2008 breach at MySpace.

Yahoo has also been criticised for lax security processes for taking so long to detect and confirm the breach internally and for failing to encrypt all security questions and answers.

The UK’s privacy watchdog, the Information Commissioner’s Office (ICO) has indicated that it will be investigating the breach to understand the impact on UK citizens.

Information Commissioner Elizabeth Denham said the number of people affected by the breach is “staggering” and demonstrates just how severe the consequences of a security hack can be.

“The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that.

“We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find,” she said. 

The first public indications of a breach at Yahoo emerged in August 2016, when a hacker known as “Peace” was reportedly attempting to sell data from 200 million Yahoo accounts.

The internet firm has now confirmed that a “recent investigation” revealed that the compromised data may have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and some encrypted or unencrypted security questions and answers.

Those investigating the breach say the compromised data does not appear to have included payment card data, or bank account information.

Yahoo said the breach appears to have been carried out by a “state-sponsored actor” but there is no evidence the hackers are still in the Yahoo network and the company is working closely with law enforcement.

The company is notifying all potentially affected users and urging them to change their passwords and to consider using Yahoo Account Key, an authentication tool designed to eliminate passwords.

Read more about data breaches

Potentially affected users are also being advised to change their password and security questions and answers for any other accounts using the same information used for their Yahoo account.

Yahoo has invalidated unencrypted security questions and answers so they cannot be used to access an account.

“An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries,” said Bob Lord, chief information security officer at Yahoo.

“Through strategic proactive detection initiatives and active response to unauthorised access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure,” he wrote in a blog post.

Businesses must ‘learn from mistakes’

While Yahoo has confirmed the breach took place in late 2014, it has not made it clear exactly when it became aware of the breach, said Keatron Evans, senior security researcher at Blink Digital Security.

“If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach? This slow response could become a PR nightmare that damages the company’s reputation,” he said.

“It goes to show how difficult it can be to determine the root cause of an attack that happened months or even years in the past without the right training and tools.”

The one thing that is clear at this point, said Evans, is that all enterprises need to learn from Yahoo’s mistakes by putting in place a robust post-breach remediation plan that has the tools to investigate breaches faster.

“There are appliances in the market that help to automate and speed up the forensics process, so no company of Yahoo’s size has the luxury of leaving customers hanging for months without adequate information or a plan for corrective action,” said Evans.

Troy Gill, manager of security research at AppRiver, said: “The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers’ data, and I don’t think we’ve seen the last confession yet.

“In fact, as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be more frequent and by all likelihood more impactful.
“I would be interested to know the findings by Yahoo when they allegedly investigated the 200 million records that were for sale on the dark web. Were the records confirmed as valid? If so, why did it take this long to inform users of the breach and why were no forced password resets issued prior?
“Keeping customers’ data secure should be a priority for all enterprises. A determined hacker can be difficult to detect, but organisations need to commit to hardening themselves to these types of attacks. This breach serves as a stark warning to all organisations that no company is too big or too small a target,” he said.

Ignorance is not the answer

Michael Lipinski, CISO and chief security strategist at Securonix, said the Yahoo breach is the perfect example that some organisations are already breached, but just do not know about it yet.

“We can’t keep accepting this level of ignorance as the best we can do,” he said, adding that he does not believe it took two years to find the breach.

“With the Verizon acquisition in process, there is this thing called due diligence that happens. I firmly believe that this is only now coming to light due to that due diligence. I believe someone knew about this earlier,” said Lipinski.

“Whether there was a cover up or if this breach was not uncovered for two years, this is a huge failure of the Yahoo team for not being able to identify this much earlier,” he said.

Lipinski said the Yahoo security team appears to be trying to deflect the risk to users by saying that passwords were hashed using bcrypt.

“Ask them how that worked out for Ashley Madison. They used the same salt hash and the hackers found a work around to the brute force methods of cracking the password,” he said.

Everday security practices

Jes Breslaw, European director of strategy at Delphix, said the Yahoo breach underlines the importance of embedding strong data security into everyday practices.

“Time and time again, we’ve seen the wide-ranging implications of a data breach. Consumer confidence takes a hit, reputations are left in tatters and fingers are pointed at those in charge of safeguarding the organisation from attack,” he said.

“Yet despite the growing number of global scandals, our research shows that only a quarter of data in the UK is masked. 

“Traditionally, organisations are very good at taking measures to protect data in their production systems, such as their websites, but neglect to protect the sensitive information held in their non-production environments where IT testing and development happens.

“In an evolving threat landscape, data conscious organisations need to ensure that data security is embedded into everyday practices. What’s needed is an irreversible process that obfuscates personal information but ensures dummy data is still available so organisations can prioritise security, but ensure development processes continue unhindered.

“Embracing new technologies – including those that combine data virtualisation with data masking – ensures that organisations can pseudonymise data once and guarantee that all subsequent copies have the same protective policies applied. This will future-proof the business from costly data breaches and ensure compliance while improving agility and time to market,” said Breslaw.

Read more on Privacy and data protection