Story image

Yahoo's colossal security breach - experts give their opinions

04 Oct 17

The latest news from Yahoo is certainly nothing to cheer about.

The Internet giant has announced that it wasn’t some accounts that were hacked, it was every single one – all three billion of them.

To provide some reference, winding back to December 2016, Yahoo announced that based on its analysis of data files provided by law enforcement, the company believed that an unauthorised party stole data associated with certain user accounts in August 2013.

At the time this was staggering, as the number of hacked user accounts was put somewhere around one billion. This new eye-watering figure marks a three-fold increase over the initial estimate.

The disclosure comes just four months after Verizon acquired Yahoo's core internet assets for US$4.48 billion, which was already reduced thanks to the breach.

In a statement on its site, Yahoo says for affected accounts the stolen user information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

A number of experts have stepped forward with commentary following Yahoo’s latest announcement, including:

Rich Campagna, CEO at Bitglass

“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorised access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented.

It’s difficult to imagine any circumstance in which an organisation committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate three billion records without setting off a single actionable alarm.

When the deal between Verizon and Yahoo was initially announced, we saw the direct impact that the breach had on the price of the acquisition. This goes to show that a seemingly small gap in security can be devastating and have prolonged business impacts.”

Thomas Fischer, global security advocate at Digital Guardian

“The issue here is that account details were compromised without the victims being alerted, leaving them vulnerable to phishing attacks and other forms of social engineering over the last four years.

Mass data breaches like this are a treasure trove for malicious attackers. Using the compromised login details, hackers may have attempted to hijack the email accounts to steal more data, or target the victims’ friends, family and place of work."

Ilia Kolochenko, CEO of High-Tech Bridge

“Taking into consideration that the integrity of Yahoo user accounts was compromised, one can reasonably infer that Yahoo ignored the fundamental principles of access segregation, continuous security monitoring and related security processes.

Therefore, it’s a bit hard to believe that sensitive information related to these accounts remained safe. Moreover, even hashed passwords can be bruteforced and then leveraged by the attackers. Information like date of birth or answer to secret question(s) can be a universal door-opener for cybercriminals. Anyway, Yahoo has already learned a very hard lesson and served an example to others that cybersecurity is pivotal for digital business.”

Stephen Moore, chief security strategist at Exabeam

“Large-scale breaches like this have driven a greater focus on behavioural analytics over the last couple of years. This is because it can help combat attempts to exfiltrate data by notifying the security team when someone is doing something that is unusual and risky – even when that activity is out of context, both on an individual basis and compared to peers.

With behavioural analytics combined with machine learning, this actionable information should be available in a couple clicks; not after an extended period of time."

Digital Realty nabs new executive appointment from Equinix
Keep your friends close and your enemies closer could be the game plan that Digital Realty is currently following.
CSPs ‘not capable enough’ to meet 5G demands of end-users
A new study from Gartner produced some startling findings, including the lack of readiness of communications service providers (CSPs).
Atos launches new French data centre – more modules to come
Atos together with the Yvelines departmental Council has officially launched its new data centre in Les Clayes-sous-Bois, Yvelines.
EU cloud adoption rising, but still far from mainstream
Cloud adoption is surging among some European Union (EU) nations but it still has a way to go to becoming commonplace across the board
Industry cloud market forecast for ‘unusual’ growth
The market for industry cloud solutions is in good stead with that growth showing little signs of slowing.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
The disaster recovery-as-a-service market is on the rise
As time progresses and advanced technologies are implemented, the demand for disaster recovery-as-a-service is also expected to increase.