After Massive Yahoo Data Breach: Have We Learned Anything?

Another massive, headline-grabbing data breach was announced this week from Yahoo. What have we learned, and what wider security industry questions just keep resurfacing?

by Dan Lohrmann / October 2, 2016
Flickr/Udi

News media reports around the world this past week were full of stories surrounding the Yahoo data breach. In case you missed the news, here are some of the specific incident details.

CNN Money: “Yahoo says 500 million accounts stolen”

Yahoo (YHOO, Tech30) confirmed on Thursday data "associated with at least 500 million user accounts" have been stolen in what may be one of the largest cybersecurity breaches ever. The company said it believes a "state-sponsored actor" was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.

The Wall Street Journal:Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says” InfoArmor says the hackers sold Yahoo database at least three times, including once to a state-sponsored actor.

An information-security firm says the hackers who stole at least 500 million records from Yahoo Inc. two years ago are criminals who are selling access to the database, and not a state-sponsored group as Yahoo contends.

Computerworld: Hackers have a treasure trove of data with the Yahoo breach”

Prior to Thursday's confirmed breach, Yahoo had already been investigating another leak. In August, an anonymous hacker was found selling a database with login details on 200 million Yahoo accounts.

The company hasn't said if the two incidents are connected. Still, Alex Holden, CIO at security firm Hold Security, wonders how many hackers are in possession of the company's stolen database.

"The Yahoo data breach will have a much bigger impact than almost any other breach that I can speak of," Holden said. "Yahoo was once the number one email provider."

What’s Different About Another Big Data Breach?

The more things change, the more things stay the same. That is the sentiment from around the technology and cybersecurity industries following this latest Yahoo breach announcement. Over the past few years, we have seen a series of high-profile data breaches from the Office of Personnel Management (OPM) to The White House to breaches at hundreds of other public- and private-sector companies.  

And yet, some are calling this Yahoo announcement as the biggest data breach ever. Many are saying that this particular situation is raising new issues that have not come up before.

For example: Reuters.com pointed out that the Yahoo hack may become test case for SEC data breach disclosure rules.

Yahoo's disclosure that hackers stole user data from at least 500 million accounts in 2014 has highlighted shortcomings in U.S. rules on when cyber attacks must be revealed and their enforcement.

Democratic Senator Mark Warner this week asked the U.S. Securities and Exchange Commission to investigate whether Yahoo and its senior executives properly disclosed the attack, which Yahoo blamed on Sept. 22 on a "state-sponsored actor."

The Yahoo hack could become a test case of the SEC's guidelines, said Jacob Olcott, former Senate Commerce Committee counsel who helped develop them, due to the size of the breach, intense public scrutiny and uncertainty over the timing of Yahoo's discovery.

CNN pointed out that the implications of this incident go far beyond Yahoo, to the questions and answers that end users have regarding all of their online content.

Computerworld highlighted that amount of time it took for us to learn about this hack, which actually occurred back in 2014. According to the article:

Verizon, which is finalizing its $4.8 billion purchase of Yahoo, said late Thursday it was notified of the massive data breach at Yahoo only in the last two days.

Verizon said it would evaluate what it will do next. In an emailed statement, the company acknowledged that it now has only "limited information and understanding of the impact" of the hack.

Finally, The Financial Times (FT.com) described the broad scope of the data breach:

According to the company, a “state-sponsored actor” hacked into its network in late 2014 and stole personal details of 500m user accounts. The details include names, email addresses, telephone numbers, dates of birth and “hashed” passwords, which means the passwords are partially obscured using a security technique that scrambles them.

The company also lost some users’ encrypted or unencrypted security questions and answers — such as mother’s maiden name, first car or pet and so on. Unencrypted security questions and answers can be read by anybody in plain text.

Payment data and bank account information were not stolen, Yahoo said.

Digging Deeper: Personal Perspective and Actions

 

I think this breach raises much wider implications for online life than some previous data breach situations. The Wall Street Journal (WSJ) suggested that our entire password reset approach has become ineffective and needs to be changed. Also, should organizations automatically reset passwords after such a breach?  Read this important WSJ analysis:

Questions are swirling around a move by Yahoo Inc., after a massive data breach, to urge users to change their email passwords manually, rather than deploy an automatic reset of all passwords across the board.

But forcing users to reset passwords for their main email accounts isn’t so easy, cybersecurity experts told CIO Journal.

The New York Times reported Wednesday that Yahoo Chief Executive Marissa Mayer “had rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach.”

“The problem is that the password reset mechanism usually involves sending a link to the email address registered with that account,” Mr. [Shape Security Chief Technology Officer Shuman] Ghosemajumder said. But if the password to be reset is for your main email account, there is no way to approve or verify any changes. And few Yahoo users are likely to have registered secondary email accounts to receive those links, he added.

As a result, there is no mechanism to force a password reset without unintentionally locking users out of their accounts.

Worse still: Security questions and answers — often used to allow users to re-access their accounts after being locked out — won’t always solve the problem.

In Yahoo’s case, for instance, hackers stole users’ plain text security questions and answers. As such, Yahoo was “forced to invalidate those questions as a means of authentication,” Mr. Ghosemajumder said.

Marketwatch.com advised everyone who had a Yahoo account to consider three simple steps.

  1. Change your password
  2. Set up two-factor authentication. 
  3. Keep an eye on your account.

Readers of my blog are very familiar with these steps, and here is a reminder on my blog on the details of No. 2.

Final Thoughts

The Hacker News website ended the week with the suggestion that the Yahoo breach may have impacted more than a billion users.

Regardless of the final overall number, this situation provides another wake-up call for enterprises to take action on cybersecurity in case you’ve missed the last dozen large data breach wake-up calls.

Sadly, most small, mid-size and large organizations tend to not learn as much as they should from these massive data breaches. Far too many organizations (remarkably) still believe “it won’t happen to us.” The same can be said of individuals who need to change their online security settings or reset passwords or use two-factor authentication.

As C. Northcote Parkinson once said, “Delay is the deadliest form of denial.”