Yahoo! data breach

Yahoo! data breach

David Gibson

VP of Strategy and Market Development at Varonis Systems

Views 601

Yahoo! data breach

16.12.2016 03:15 pm

The fact that this is the second Yahoo! breach that has been disclosed in the last 3 months just goes to show how deep some of these major data breaches go. Many organisations are breached just as severely as Yahoo!, but may never know as they are not actively investigating.

“Bob Lord, Yahoo!’s CISO, said that steps have been taken to secure the accounts that have been breached. I am always sceptical of statements like this. How do you know? What if the remaining accounts were breached without any evidence left behind? We don’t know what we don’t know. You almost have to concede the worst: the entirety of our data has been compromised. Perhaps more worrying is that, according to a former security engineer, Yahoo! installed a backdoor that allowed the NSA to read ALL user’s emails behind their security teams backs. The thing about backdoors is that bad guys can find them too.

“However, organisations also have a responsibility to their partners, customers and employees to protect sensitive information and disclose breach activity. Quite often breaches are confirmed, not by an organisation’s security teams, but by discovery and confirmation of leaked data on the Dark Web.

 Organisations should be taking steps to, not only safeguard data, but also provide forensic evidence when the worst happens. The first step in a data security strategy should be to instrument your environment to be able to a.) see who is accessing data, when, and how b.) profile normal behaviour, and c.) alert on abuse. Step two should be to identify sensitive data and ensure that only the right people have access (i.e., the principle of least privilege). Step three is to implement automated processes and human checkpoints to verify that controls put in place stay in place so you don’t backslide to an insecure state.

Interestingly, if Yahoo! hadn’t instrumented their environment to detect evidence of intrusion, they may never have “officially” discovered the recent two data breaches, which have been devastating to their brand and may have ultimately cost them their sale to Verizon.

The upcoming breach notification requirements will also place a new burden on data controllers like Yahoo!. Under the GDPR, the IT security mantra is “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal information, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues just like Yahoo!.

 Passwords leaked were hashed with a VERY weak algorithm (unsalted MD5), however, if users changed their password after the last reported breach, they should be safe since this one happened in 2013. Interestingly, when I attempt to change my Yahoo! account password via 1Password using a random 32 character string, I get a vague error message. Yet it lets me use “thisismypassword”

 Users can learn more about what makes the best password from the internet security basics course that we’re running with security expert, Troy Hunt.

Latest blogs

N/A ReliaMax

College Dreams? Here’s How to Get Accepted

Higher education in the United States is not just about getting accepted, it is about where you get accepted. Sure, there are options, there are seemingly endless options - from community colleges to Ivy League schools and everything in between. The Read more »

Bobby Gill GCWealth

Bobby Gill: 3 Ways Fintech is Helping Small Businesses During the Pandemic

Image Source: Pixabay. Back in April, the US oil prices sank to a 20-year low. In the UK, road traffic levels hit a 70-year low. Worldwide, due to lockdown, retail, travel, and restaurant bookings have dropped by 85%. More than 430 million Read more »

Christa Ardley Bitstocks

Bitcoin and blockchain without the b******t

An industry once viewed by the general populace as a haven for criminals and online scammers, and still somewhat marred by fractious in-fighting, Bitcoin and blockchain are gradually casting off their outdated negative reputation; as the focus Read more »

Otabek Nuritdinov Safenetpay

Beyond Payments Services

    Why it really matters for small for medium-sized enterprise (SMEs) to choose the right payments services provider. Strategic planners in the financial services sector often define their business in terms of products that Read more »

Chak Kolli DXC Technology

How Can Insurers Realise the True Value of AI?

As Artificial Intelligence (AI) and digital transformation find their way into every aspect of our daily lives, we are gradually seeing changes taking place in different sectors. Progressively, AI is permeating the insurance value chain and it is Read more »

Related Blogs

Matt Hooper IMImobile

Police warn of 63% rise in SIM swap scams - response from industry expert

Now that banking on mobile devices is the norm, SIM swap fraud is becoming a growing concern across the industry. There is serious pressure on banks and mobile operators to address the issue before serious reputational damage is done; with the Read more »

Rachna Ahlawat Ondot Systems

How The Major Breaches In 2018 Showed Us That It’s Time For Consumers To Take Greater Control Of Their Cards

A few months ago British Airways became one of the latest big-name brands to suffer a major data breach, as hackers managed to steal card details – something that has this week been reported could have raised up to $12.2m (£9.4m) for Russian hackers Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel