Yahoo! data breach

David Gibson

VP of Strategy and Market Development at Varonis Systems

Views 308

Yahoo! data breach

16.12.2016 03:15 pm

The fact that this is the second Yahoo! breach that has been disclosed in the last 3 months just goes to show how deep some of these major data breaches go. Many organisations are breached just as severely as Yahoo!, but may never know as they are not actively investigating.

“Bob Lord, Yahoo!’s CISO, said that steps have been taken to secure the accounts that have been breached. I am always sceptical of statements like this. How do you know? What if the remaining accounts were breached without any evidence left behind? We don’t know what we don’t know. You almost have to concede the worst: the entirety of our data has been compromised. Perhaps more worrying is that, according to a former security engineer, Yahoo! installed a backdoor that allowed the NSA to read ALL user’s emails behind their security teams backs. The thing about backdoors is that bad guys can find them too.

“However, organisations also have a responsibility to their partners, customers and employees to protect sensitive information and disclose breach activity. Quite often breaches are confirmed, not by an organisation’s security teams, but by discovery and confirmation of leaked data on the Dark Web.

 Organisations should be taking steps to, not only safeguard data, but also provide forensic evidence when the worst happens. The first step in a data security strategy should be to instrument your environment to be able to a.) see who is accessing data, when, and how b.) profile normal behaviour, and c.) alert on abuse. Step two should be to identify sensitive data and ensure that only the right people have access (i.e., the principle of least privilege). Step three is to implement automated processes and human checkpoints to verify that controls put in place stay in place so you don’t backslide to an insecure state.

Interestingly, if Yahoo! hadn’t instrumented their environment to detect evidence of intrusion, they may never have “officially” discovered the recent two data breaches, which have been devastating to their brand and may have ultimately cost them their sale to Verizon.

The upcoming breach notification requirements will also place a new burden on data controllers like Yahoo!. Under the GDPR, the IT security mantra is “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal information, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues just like Yahoo!.

 Passwords leaked were hashed with a VERY weak algorithm (unsalted MD5), however, if users changed their password after the last reported breach, they should be safe since this one happened in 2013. Interestingly, when I attempt to change my Yahoo! account password via 1Password using a random 32 character string, I get a vague error message. Yet it lets me use “thisismypassword”

 Users can learn more about what makes the best password from the internet security basics course that we’re running with security expert, Troy Hunt.

Latest blogs

Andrew Davies Fiserv

Managing Risk in the Era of Customer Experience

Delivering an excellent customer experience and managing risk are among financial institutions’ top priorities. Notably, these priorities are solidly linked: as life moves faster and new technologies are introduced to help make our financial lives Read more »

Tony Pepper Egress Software Technologies

Tony Pepper, CEO of Egress Software Technologies comments on Fax machines banned across the NHS

It is difficult to believe that such an outdated and unsecure system is still being used by the NHS when we consider the confidentiality of the information contained within patient records. According to the BBC, as many as 9,000 fax machines were Read more »

Jerome Bugnet MuleSoft

The Insurtech Revolution: a Survival Guide

The insurance industry is undergoing massive change as traditional providers race to digitally transform. This is due to the enormous pressure that insurers are facing on all fronts. On one side, consumer expectations have soared to new heights as Read more »

Graham Elliott Azur

Insurtech: time to get intelligent about solutions

The Turing test famously proposes that if a personcannot reliably distinguish between a machine and a human communicating with them in text, the computer can be said to be genuinely intelligent. The first software programme passed the test in 2014, Read more »

Makoto Shirota NRI

XR technology's potential in finance

What are VR, AR and MR? XR (extended reality or cross reality), an umbrella term that encompasses VR (virtual reality), AR (augmented reality) and MR (mixed reality), has long been a high-profile technology. Read more »

Related Blogs

Rachna Ahlawat Ondot Systems

How The Major Breaches In 2018 Showed Us That It’s Time For Consumers To Take Greater Control Of Their Cards

A few months ago British Airways became one of the latest big-name brands to suffer a major data breach, as hackers managed to steal card details – something that has this week been reported could have raised up to $12.2m (£9.4m) for Russian hackers Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App