Yahoo! data breach

David Gibson

VP of Strategy and Market Development at Varonis Systems

Views 398

Yahoo! data breach

16.12.2016 03:15 pm

The fact that this is the second Yahoo! breach that has been disclosed in the last 3 months just goes to show how deep some of these major data breaches go. Many organisations are breached just as severely as Yahoo!, but may never know as they are not actively investigating.

“Bob Lord, Yahoo!’s CISO, said that steps have been taken to secure the accounts that have been breached. I am always sceptical of statements like this. How do you know? What if the remaining accounts were breached without any evidence left behind? We don’t know what we don’t know. You almost have to concede the worst: the entirety of our data has been compromised. Perhaps more worrying is that, according to a former security engineer, Yahoo! installed a backdoor that allowed the NSA to read ALL user’s emails behind their security teams backs. The thing about backdoors is that bad guys can find them too.

“However, organisations also have a responsibility to their partners, customers and employees to protect sensitive information and disclose breach activity. Quite often breaches are confirmed, not by an organisation’s security teams, but by discovery and confirmation of leaked data on the Dark Web.

 Organisations should be taking steps to, not only safeguard data, but also provide forensic evidence when the worst happens. The first step in a data security strategy should be to instrument your environment to be able to a.) see who is accessing data, when, and how b.) profile normal behaviour, and c.) alert on abuse. Step two should be to identify sensitive data and ensure that only the right people have access (i.e., the principle of least privilege). Step three is to implement automated processes and human checkpoints to verify that controls put in place stay in place so you don’t backslide to an insecure state.

Interestingly, if Yahoo! hadn’t instrumented their environment to detect evidence of intrusion, they may never have “officially” discovered the recent two data breaches, which have been devastating to their brand and may have ultimately cost them their sale to Verizon.

The upcoming breach notification requirements will also place a new burden on data controllers like Yahoo!. Under the GDPR, the IT security mantra is “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal information, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues just like Yahoo!.

 Passwords leaked were hashed with a VERY weak algorithm (unsalted MD5), however, if users changed their password after the last reported breach, they should be safe since this one happened in 2013. Interestingly, when I attempt to change my Yahoo! account password via 1Password using a random 32 character string, I get a vague error message. Yet it lets me use “thisismypassword”

 Users can learn more about what makes the best password from the internet security basics course that we’re running with security expert, Troy Hunt.

Latest blogs

Peter Shackleton Upgrade Pack

Banking and customer retention – why trust is no longer enough

Banking and customer retention in 2019 – why trust is no longer enough. Fintech had a moment in 2018. The UK fintech scene overtook the US in terms of investment and cemented its position at the front of the peloton in Europe. In 2018 valuations Read more »

Jukka Yliuntinen Mobey Forum, Giesecke+Devrient Mobile Security

An ID-eal position: Banks and trusted digital identity

The rapid pace of digital transformation has left many industries scrambling to find secure, convenient ways of establishing identity for digital services.The identity ecosystem has become fragmented and complex, with too many stop-gap solutions Read more »

Duena Blomstrom N/A

Why A Culture Of “Us Versus Them” Is Deadly

Employees today are by and large unhappy at work. Survey after survey shows mistrust, fear and stagnation reigning supreme. Read more »

Jerry Norton CGI

Extending the bank: Key drivers, technologies and steps

What does it mean to extend the bank? Traditionally, banks have manufactured, distributed and managed all of their own products and services. The concept of extend describes how this traditional model is changing as the value chain becomes unbundled Read more »

David Moss Avi Networks

Maintaining Trust While Navigating through a Multi-Cloud World

Financial services companies are extending data centres with private and public clouds to keep up with demand, but does a multi-cloud environment introduce too much complexity and risk? Read more »

Related Blogs

Matt Hooper IMImobile

Police warn of 63% rise in SIM swap scams - response from industry expert

Now that banking on mobile devices is the norm, SIM swap fraud is becoming a growing concern across the industry. There is serious pressure on banks and mobile operators to address the issue before serious reputational damage is done; with the Read more »

Rachna Ahlawat Ondot Systems

How The Major Breaches In 2018 Showed Us That It’s Time For Consumers To Take Greater Control Of Their Cards

A few months ago British Airways became one of the latest big-name brands to suffer a major data breach, as hackers managed to steal card details – something that has this week been reported could have raised up to $12.2m (£9.4m) for Russian hackers Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App