Yahoo! data breach

Yahoo! data breach

David Gibson

VP of Strategy and Market Development at Varonis Systems

Views 469

Yahoo! data breach

16.12.2016 03:15 pm

The fact that this is the second Yahoo! breach that has been disclosed in the last 3 months just goes to show how deep some of these major data breaches go. Many organisations are breached just as severely as Yahoo!, but may never know as they are not actively investigating.

“Bob Lord, Yahoo!’s CISO, said that steps have been taken to secure the accounts that have been breached. I am always sceptical of statements like this. How do you know? What if the remaining accounts were breached without any evidence left behind? We don’t know what we don’t know. You almost have to concede the worst: the entirety of our data has been compromised. Perhaps more worrying is that, according to a former security engineer, Yahoo! installed a backdoor that allowed the NSA to read ALL user’s emails behind their security teams backs. The thing about backdoors is that bad guys can find them too.

“However, organisations also have a responsibility to their partners, customers and employees to protect sensitive information and disclose breach activity. Quite often breaches are confirmed, not by an organisation’s security teams, but by discovery and confirmation of leaked data on the Dark Web.

 Organisations should be taking steps to, not only safeguard data, but also provide forensic evidence when the worst happens. The first step in a data security strategy should be to instrument your environment to be able to a.) see who is accessing data, when, and how b.) profile normal behaviour, and c.) alert on abuse. Step two should be to identify sensitive data and ensure that only the right people have access (i.e., the principle of least privilege). Step three is to implement automated processes and human checkpoints to verify that controls put in place stay in place so you don’t backslide to an insecure state.

Interestingly, if Yahoo! hadn’t instrumented their environment to detect evidence of intrusion, they may never have “officially” discovered the recent two data breaches, which have been devastating to their brand and may have ultimately cost them their sale to Verizon.

The upcoming breach notification requirements will also place a new burden on data controllers like Yahoo!. Under the GDPR, the IT security mantra is “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal information, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues just like Yahoo!.

 Passwords leaked were hashed with a VERY weak algorithm (unsalted MD5), however, if users changed their password after the last reported breach, they should be safe since this one happened in 2013. Interestingly, when I attempt to change my Yahoo! account password via 1Password using a random 32 character string, I get a vague error message. Yet it lets me use “thisismypassword”

 Users can learn more about what makes the best password from the internet security basics course that we’re running with security expert, Troy Hunt.

Latest blogs

Carl Uminski Somo

Are We Digitally Ready for a Cashless Britain?

Economists estimate that only eight per cent of the world’s money exists in the form of tangible coins and notes; the rest is floating in the digital ether. According to a survey by Forex Bonuses, Britain is third in the world league table of Read more »

Stephan Schmidt-Tank Amazon Web Services

Look to Efficiency and Innovation to Drive Competitive Advantage in Banking

We’re seeing a wave of change sweeping the industry directly related to financial institutions’ need to innovate and transform to compete. At a time when customers’ expectations are changing fast and customer centric companies need to move faster Read more »

Ian Massingham Amazon Web Services

Three Keys to Compliance: Cloud in Financial Services

The global perception of “moving to the cloud” has undergone multiple shifts since its inception. What began as a leap of faith into the unknown has become a core enabler for businesses that want to experiment, innovate and grow. So much so that Read more »

Serdar Karliev kpi.com

Bringing ERP to SMEs

Interview: Serdar Karliev, CEO of kpi.com Financial IT: How would you describe kpi.com? Read more »

Sanjeev Patil Girmiti Software.

Mobile Wallets - Redefining Customer Experience through Enhanced Features

Lately, there has been a lot of buzz around Mobile Wallets as it is creating a new wave in Digital Payments. Nonetheless, Mobile wallets are still at a nascent stage in most of the developing countries, but has become the mode of payment in most of Read more »

Related Blogs

Matt Hooper IMImobile

Police warn of 63% rise in SIM swap scams - response from industry expert

Now that banking on mobile devices is the norm, SIM swap fraud is becoming a growing concern across the industry. There is serious pressure on banks and mobile operators to address the issue before serious reputational damage is done; with the Read more »

Rachna Ahlawat Ondot Systems

How The Major Breaches In 2018 Showed Us That It’s Time For Consumers To Take Greater Control Of Their Cards

A few months ago British Airways became one of the latest big-name brands to suffer a major data breach, as hackers managed to steal card details – something that has this week been reported could have raised up to $12.2m (£9.4m) for Russian hackers Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel