Records are meant to be broken. And Yahoo has done it.
This September, Yahoo reported that login and user information was stolen from more than 500 million accounts, the largest data breach in history at the time. However, just three months later, they have managed to break their own record.
Yahoo announced yesterday that a separate breach occurred in August 2013 and has affected more than one billion user accounts. They didn’t just break the previous record, they shattered it. This troubling revelation presents yet another hurdle for Verizon in its pending acquisition of Yahoo.
In July, Verizon agreed to buy Yahoo for $4.8 billion, but the sale has stalled after news of the first breach broke. It’s safe to assume that Yahoo’s latest incident has caused Verizon to pump the brakes yet again. A new deal with a significantly lower price would not be out of the question, if the sale ends up being finalized at all.
The two largest data breaches in history provide several important lessons for the business community.
1. Timing is everything. The first reported breach itself took place in 2014, but was not announced until September 2016. Whether Yahoo withheld knowledge of the hack this long, or simply didn’t know about it until now has not been disclosed. If the former, it could result in liability issues. If the latter, it demonstrates very poor situational awareness and risk mitigation of its network’s vulnerabilities.
The breach reported yesterday took place in 2013 and was only discovered after Yahoo analyzed data files provided to them by law enforcement. Yahoo’s security team has been unable to determine exactly how sensitive data was stolen from the staggering one billion accounts, or that the breach even happened without outside help, again displaying a lack of knowledge regarding their security gaps.
Both breaches should be eye openers to anyone hosting critical information or services. Know your strengths, but more importantly, know your weaknesses. Moreover, be honest about how to mitigate them, and do so in a timely manner to minimize damage to your brand. In addition, security controls dedicated to detecting, correcting, and recovering from an attack are as important, if not more important, than just preventing an attack and vital to achieving cyber resiliency.
2. Login info is cyber gold. Names, hashed passwords, birth dates, and security questions and answers were all targeted. This is all information that can be used to log into user accounts, both on Yahoo and beyond, since internet users generally reuse passwords (or slight variations of passwords) across domains (email, banking, e-commerce, etc.). With this information, ne’er do-wells can attempt, with up to 2% accuracy, to log into additional personal accounts. This 2% may not sound significant, but across one billion users it amounts to 20 million accounts. From a consumer standpoint, Yahoo users should change their password immediately and update any other online profiles that use the same email as login, or have a similar password. Both individuals and businesses should employ multi-factor authentication to ensure that those attempting to gain access are who they say they are. (Read more on “How to Strengthen Passwords to Better Guard the Door.”)
As a precautionary measure in the event that login credentials for your network are compromised, the concept of “least privilege” is an important mitigation strategy. Least privilege means employees are only granted access to information and resources that they need to perform their job. This can and should extend to physical locations such as different sites, or even parts of your company’s buildings. By restricting your employee’s access only to that which they require, hackers’ ability to escalate privilege within your network or organization will likewise be restricted. Sure, “login info is cyber gold,” but ensure that they don’t become the keys to the castle in the wrong hands.
3. Hacks expose business information. If you are using Yahoo to host your business email this breach means possible leaked credentials enabling access to your organization’s emails. Any information that those credentials unlock potentially belongs to whoever cares to purchase them. That means emails, remote network logins, and sensitive proprietary information can all be up for grabs. This also means proprietary information could be exposed. Security equipment purchases, data and network equipment inventories, planned service outages, and even default equipment usernames and passwords are useful for hackers. Often, this is more useful than the take from the initial breach. These pieces of information, no matter how innocuous they may seem by themselves, become elements of a toolbox hackers can use to gain further access to your network.
You have spent years, maybe even decades building up a brand, and with that you have a reputation with your customers. A loss of this type and scale can cause customers to lose faith in that brand. Rebounding from such an event can cost time, money, and clients you can’t afford to lose. Already having effective risk management and mitigation plans in place are invaluable in helping your organization navigate, rebound from, and even thrive after such a crisis.
4. Social engineering of individuals leads to cyber crime against businesses. Social engineering is the art of hacking people. By leveraging information on individuals found in personal accounts such as Yahoo, hackers can gain access to corporate information or resources they desire without having to touch the target network. This is often done through specially-crafted emails known as spear phishing and whaling. Spear phishing is the use of specifically targeted email that appears to come from a known, friendly entity. Whaling particularly targets upper management. Both techniques are used for business e-mail compromise (BEC) attacks, which target a company’s financial or purchasing personnel and manipulate them into wiring substantial amounts of money to fraudulent accounts.
According to the FBI’s Internet Crime Complaint Center (IC3), nefarious elements have managed to redirect nearly $3.1 billion from over 22,000 victims from October 2013 to May of 2016. According to Trend Micro, the most popular “sender” of fraudulent emails in BEC exploitations is the CEO at 31% of scams. The second most popular is the company President at 17%. On the other end of the game, the CFO was the most likely recipient at just over 40%, while the finance director was targeted nearly 10% of the time.
The Yahoo breaches set a new bar for threat exposure, but they provide lessons. It is incumbent upon individuals and companies, as responsible digital citizens, to do what we can to make ourselves hard targets. Let’s start immediately by at least following the time-honored advice of changing passwords every three-to-six months to strong passwords.
