Without better security, massive Yahoo hack could be the new norm

Stronger authentication, less dependence on passwords needed to thwart wide-scale data breaches

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

It’s not the big one, but it’s close.

Yahoo con­firmed long-sus­pect­ed reports that a hack­er had accessed mil­lions of cus­tomer pass­words. The num­ber, how­ev­er, is a bit shock­ing even to a reporter who’s been writ­ing this same sto­ry for the past 10 years.

Five hun­dred mil­lion. For many years, I’ve pre­pared myself to report on a very, very large-scale data com­pro­mise that would under­cut the integri­ty of the inter­net itself, and per­haps cause imme­di­ate harm to the economy.

This Yahoo news isn’t that. But it’s the clos­est thing to date. Yahoo dis­closed on Thurs­day, Sept. 22, that 500 mil­lion user accounts had been com­pro­mised; data stolen by a hack­er believed to be work­ing for a nation state, the firm said.

Relat­ed info­graph­ic: Why cyber­se­cu­ri­ty expo­sures are intensifying

Yahoo believes that infor­ma­tion asso­ci­at­ed with at least 500 mil­lion user accounts was stolen and the inves­ti­ga­tion has found no evi­dence that the state-spon­sored actor is cur­rent­ly in Yahoo’s net­work,” the firm said. “Yahoo is work­ing close­ly with law enforce­ment on this matter.”

The attack hap­pened in 2014, which rais­es an obvi­ous ques­tion: What took Yahoo so long to fig­ure out the sever­i­ty of the heist? Users also are enti­tled to know more about the state-spon­sored attack, and any guess­es at what its moti­va­tion might be,

Here’s what was taken:

The account infor­ma­tion may have includ­ed names, email address­es, tele­phone num­bers, dates of birth, hashed pass­words … and, in some cas­es, encrypt­ed or unen­crypt­ed secu­ri­ty ques­tions and answers,” Yahoo said in a state­ment. “The ongo­ing inves­ti­ga­tion sug­gests that stolen infor­ma­tion did not include unpro­tect­ed pass­words, pay­ment card data, or bank account infor­ma­tion; pay­ment card data and bank account infor­ma­tion are not stored in the sys­tem that the inves­ti­ga­tion has found to be affected.”

Yahoo has set up an infor­ma­tion page on the hack. When I tried it Thurs­day after­noon, it was inac­ces­si­ble, prob­a­bly over­whelmed with traffic.

The news fol­lows reports in ear­ly August that a mas­sive dump of Yahoo data was being sold online by some­one using the same han­dle as a hack­er who sold sim­i­lar data dumps from LinkedIn and MySpace.

In a sign per­haps that the data was old, and had been in the under­ground for some time, the hacker—using the name Peace—said he or she was sell­ing data on 200 mil­lion users for a mere $1,400. Yahoo did not con­firm this announce­ment was relat­ed to that incident.

Yahoo says users should change their pass­words. And in fact, sto­ries about the Peace data sale claim offered the same advice. Yes, you should change your pass­words, and pass­words at any site where you may have used that Yahoo pass­word. It’s a lit­tle like clos­ing the barn door after the hacker’s already been inside for a while, however.

Yahoo said it will noti­fy impact­ed users and has “tak­en steps to secure their accounts.”

These steps include inval­i­dat­ing unen­crypt­ed secu­ri­ty ques­tions and answers so that they can­not be used to access an account and ask­ing poten­tial­ly affect­ed users to change their pass­words,” the firm said.

It then tried to easy the blow a bit by talk­ing about the increased preva­lence of hack­er attacks plot­ted by for­eign governments.

Online intru­sions and thefts by state-spon­sored actors have become increas­ing­ly com­mon across the tech­nol­o­gy indus­try,” it said. “Yahoo and oth­er com­pa­nies have launched pro­grams to detect and noti­fy users when a com­pa­ny strong­ly sus­pects that a state-spon­sored actor has tar­get­ed an account. Since the incep­tion of Yahoo’s pro­gram in Decem­ber 2015, inde­pen­dent of the recent inves­ti­ga­tion, approx­i­mate­ly 10,000 users have received such a notice.”

Change in secu­ri­ty mind-set needed

The dra­mat­ic bad news—it’s scale alone is stunning—creates anoth­er oppor­tu­ni­ty for con­sumers to think more care­ful­ly about how they pro­tect themselves.

Every day we receive hard data that demon­strates why we all must be on high alert when it comes to inter­net secu­ri­ty,” said John Peter­son, vice pres­i­dent and gen­er­al man­ag­er at Como­do Enter­prise, a secu­ri­ty firm. “From the every­day con­sumer to the largest enter­prise, we are con­stant­ly under attack from peo­ple and orga­ni­za­tions that want to prof­it from steal­ing our per­son­al infor­ma­tion. Only by chang­ing the way we think about inter­net secu­ri­ty and deploy­ing tech­nol­o­gy that pro­vides full end-to-end cov­er­age, will we be able to stop cyber crim­i­nals from profiting.”

In the end, how­ev­er, there is lit­tle con­sumers can do to pro­tect them­selves from such wide-scale attacks. It’s up to tech­nol­o­gy firms to build bet­ter secu­ri­ty into their prod­ucts in the first place.

What hap­pened to Yahoo and their cus­tomers is trag­ic, but what is more trag­ic will be the next sev­er­al data breach­es at this scale, which, unfor­tu­nate­ly, we have every rea­son to expect,” said Brett McDow­ell, exec­u­tive direc­tor of the FIDO Alliance, a con­sor­tium of tech firms like Microsoft and Google. “The fre­quen­cy and sever­i­ty of these data breach­es is only get­ting worse year-over-year, and this trend will con­tin­ue until our indus­try ends its depen­den­cy on pass­word secu­ri­ty and adopts unphish­able strong authen­ti­ca­tion. The old excus­es about strong authen­ti­ca­tion being a bad user expe­ri­ence are going away.”

More sto­ries relat­ed to inter­net security:
As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge
Most busi­ness­es unpre­pared for email-based attacks
Man­aged secu­ri­ty ser­vices help SMBs take aim at secu­ri­ty threats

 


Posted in Data Breach, Featured Story