An unauthorized third party, in August 2013, stole data associated with more than one billion user accounts, says the internet company Yahoo. It’s notifying potentially affected users.
The firm recommends that users change password and security questions and answers for any other accounts on which they use the same or similar information used for a Yahoo account. Also, Yahoo suggests users be cautious of any unsolicited communications that ask for personal information or refer them to a web page asking for personal information; and to avoid clicking on links or downloading attachments from suspicious emails.
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers; not passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the company believes was affected.
View the Yahoo Account Security Issues FAQs page: https://yahoo.com/security-update.
What regulator says
At the UK data protection regulator the ICO, Deputy Information Commissioner Simon Entwisle said on December 15: “This latest report of another significant data loss at Yahoo gives us further cause for concern. We’d expect any formal investigation to be handled by US and European authorities, but the ICO will continue to make its voice heard on behalf of people affected in the UK.
“We are talking to Yahoo again today and we are in touch with the relevant international authorities to ensure the data protection interests of UK customers are considered. The scale of this attack is unprecedented and it is not yet known how many UK users are affected. We would urge all Yahoo users who have not changed their passwords recently to consider doing so now.”
Other comments
John Madelin, CEO at RelianceACSN, said: “We thought the previous breach of 500 million user accounts was huge, but 1 billion is monumental.”
Ed Macnair, CEO of web security product company CensorNet, said: “A breach of this size is almost unfathomable – even disregarding the fact this is the second massive breach disclosure from Yahoo in a matter of months.”
Tyler Moffitt, Senior Threat Research Analyst at cyber security company Webroot, said: “This latest Yahoo breach is huge on many levels. All of the data stolen, including emails, passwords and security questions, make a potent package for identify theft. The main email account has links to other online log-ins and the average user likely has password overlap with multiple accounts. This breach is separate from the September one, having happened in 2013 and it took a third party to analyze and bring it to their attention. This is disgraceful as Yahoo would have remained unaware. The fact that Yahoo has taken steps to secure user accounts is of little comfort.”
Ilia Kolochenko, CEO of web security firm High-Tech Bridge, said: “Announcing such a massive breach three years after it has occurred, is a very serious, and hopefully a well-thought out step taken by Yahoo. As we don’t have any clear technical details around what has actually happened, it’s difficult to make any conclusions on who or what was at the origins of the breach.
“However, I am pretty sure that this news has the potential to negatively impact the deal with Verizon. Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline – just before the buyout, may provide a valid reason for Yahoo’s shareholders to sue Yahoo’s top management if the deal fails or brings less money than expected.
“I don’t think the breach will impact Yahoo’s customers in any new manner now, unless someone makes the breached database public and enables the re-use of passwords and secret questions/answers. The attackers who breached Yahoo, must have already leveraged the compromised data for their own purposes.
Philip Lieberman, CEO of Lieberman Software, said: “The truth and lesson to be learned from this situation is that you must always be looking for intrusions, expect them, expect they will not be discoverable, and operate your infrastructure to minimize losses. If you are not constantly looking for intrusions and running your shop to minimize losses, you will always find yourself in a total loss of security as Yahoo now finds themselves. The competitors to Yahoo operate their shops looking for these types of intrusions and when they see personally identifiable information (PII) leakage, they shut it down. The key to the success of their competitors is the investment in people, processes and technology to mitigate losses.
“The fact that the CISO cannot identify the source of the loss says everything: they are simply not operating their shop for an acceptable loss outcome. Simple salting of the user database (inclusion of special dummy records) could provide them with the visibility to the source of the loss, but even this simple technique was not used given the total lack of understanding of the loss. Security behind the protection of PII is a matter of culture and dedication, and is not necessarily a money issue. The core of this problem lays at the feet of the CEO and Board of Directors in this case in not managing and monitoring their most precious asset: their customers information and thereby damaging shareholder equity.”
And Andre Stewart, VP EMEA at Netskope said: “Criminals are searching for information from many different sources and using that information to target user accounts in all sorts of locations, whether that’s the company network, a smartphone on the train or in an airport, or an employee working on a laptop in a coffee shop. Each new, successful hack on data in the cloud can release a whole new raft of user details like usernames, passwords, dates of birth, etc. which can then be used to gain access to other accounts and services in the cloud.
“When the same credentials are used for multiple services, these types of breaches put enterprise data at risk, so organisations should educate their users on basic password hygiene. The IT department needs resources to actively monitor for credentials revealed in breaches which are also being used to access company resources. If compromised credentials are found to be in use, companies should lock those accounts and get users to change their login credentials to keep data secure. Organisations should also monitor for any anomalous activity which could indicate an unauthorised log-in attempt.”
