You may or may not remember but in August of 2013 Yahoo suffered a major data breach which was only made public knowledge in December of 2016. At the time when the breach was reported it was only said to have impacted 1 billion accounts. In a latest revelation by now parent company, Verizon, that Yahoo actually failed to protect all 3 billion email accounts under their watch. This breach is one of the most significant to happen although it doesn’t come close to the Equifax data breach in types of data stolen. It’s not the number of accounts that makes this breach significant, but rather that Yahoo email accounts were introductory email accounts held by almost anyone online today. Prior to the rise of Gmail, Yahoo and Microsoft Hotmail were the go to for free e-mail accounts that could be acquired by anyone. While today Yahoo accounts are not as popular, many people still have an active Yahoo account even if they don’t access it.
The Original Yahoo Breach
When the original breach was reported in December of 2016, Yahoo had stated that hackers somehow access proprietary internal code which allowed them to create fake cookies. These cookies provided hackers access to e-mail accounts without a password. Prior to this breach being reported, there was another breach in September of 2016 where Yahoo had reported that 500 million accounts had been compromised. Yahoo, pre-acquisition, had a very poor history maintaining up-to-date security measures, which was revealed in the past decade. The hackers who gained access to all of Yahoo’s managed email accounts were able to access names, security questions, passwords, and most importantly legitimate identities. During the December disclosure of one billion emails being hacked, Skyhigh Networks CEO Rajiv Gupta said to eSecurity Planet that hackers just gained one billion more keys to use in targeted cyber attacks against major institutions and organizations. Although with the latest revelation anyone who has ever had a Yahoo e-mail account will likely have their e-mail used in a cyber attack.
Implications of the Latest Yahoo Data Breach
The latest data breach will have some wide ranging impacts across the internet and real world. One of the issues that been exposed as a result of this breach is rate of password and security question reuse that people have while online. It’s common for people to reuse the same passwords and security questions across multiple accounts for different services online. Depending on how the hackers or darknet buyers use the information stolen, many more corporations can become victims are targeted phishing schemes.
The other danger that can happen now is that a wealth of private information is now just readily available. If people’s security questions are compromised then that can enhance a hacker’s ability to impersonate people, especially if they are logged onto services without using two-factor authentication. The possibilities are now endless given that the information likely impacts any adult online today.
Organizational Complexity & Risk
Yahoo is an excellent example of a large organization who had a wealth of security personnel at it’s disposal demonstrated that it can easily miss critical vulnerabilities. This is due to the complex nature of the organization and the threat surface for malicious or negligent insiders to take advantage of. Yahoo’s email accounts were routinely compromised prior to this hack.
Additionally there seemed to be a failure in communications on data management, which further exposed Yahoo’s risk and mismanaged complexity. This was made clear during a trial in July of 2016. Yahoo had claimed in their Compliance Guide for Law Enforcement that recovery of deleted emails was not possible. However, in court Yahoo was able to bring in six months worth of deleted emails against a defendant. The specifics of the case is not as important as the lack of communication and disconnect from Yahoo’s stated policies and in-action practices. Such failure to communicate and remain on the same page heightens risk and allows for an increase in undetected insider incidents. No amount of security personnel can prevent a breach if they are not on the same page about protocol.
What to do now?
First and foremost due to Yahoo’s policies it is not recommended to delete your account. In 2013, same year as the hack, Yahoo announced on Tumblr a policy that essentially allows inactive (one year or more) Yahoo accounts to be “released”. Essentially Yahoo accounts are recycled and offered to other people instead of deactivated. This exposed many Yahoo accounts to compromise by simply allowing a password reset or claim of a Yahoo ID. If a user tries to delete their account, it will remain inactive for 90 days instead. This 90 days is a window of opportunity for anyone to claim the account and keep it in a recycle loop. Such policies only further enhance a criminal’s ability to commit fraud or targeted phishing.
Enhance security on your account as much as possible. Two factor authentication is the recommended course of action for now, until Yahoo or parent company Verizon gets rid of such policies that put accounts in danger of further malicious use. Two factor authentication will require a code for login that is only accessible from the mobile device you tell Yahoo to send it to. This will prevent any malicious attempts to your account.