itb-nz logo
Story image

Yahoo's colossal security breach - experts give their opinions

04 Oct 2017

The latest news from Yahoo is certainly nothing to cheer about.

The Internet giant has announced that it wasn’t some accounts that were hacked, it was every single one – all three billion of them.

To provide some reference, winding back to December 2016, Yahoo announced that based on its analysis of data files provided by law enforcement, the company believed that an unauthorised party stole data associated with certain user accounts in August 2013.

At the time this was staggering, as the number of hacked user accounts was put somewhere around one billion. This new eye-watering figure marks a three-fold increase over the initial estimate.

The disclosure comes just four months after Verizon acquired Yahoo's core internet assets for US$4.48 billion, which was already reduced thanks to the breach.

In a statement on its site, Yahoo says for affected accounts the stolen user information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

A number of experts have stepped forward with commentary following Yahoo’s latest announcement, including:

Rich Campagna, CEO at Bitglass

“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorised access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented.

It’s difficult to imagine any circumstance in which an organisation committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate three billion records without setting off a single actionable alarm.

When the deal between Verizon and Yahoo was initially announced, we saw the direct impact that the breach had on the price of the acquisition. This goes to show that a seemingly small gap in security can be devastating and have prolonged business impacts.”

Thomas Fischer, global security advocate at Digital Guardian

“The issue here is that account details were compromised without the victims being alerted, leaving them vulnerable to phishing attacks and other forms of social engineering over the last four years.

Mass data breaches like this are a treasure trove for malicious attackers. Using the compromised login details, hackers may have attempted to hijack the email accounts to steal more data, or target the victims’ friends, family and place of work."

Ilia Kolochenko, CEO of High-Tech Bridge

“Taking into consideration that the integrity of Yahoo user accounts was compromised, one can reasonably infer that Yahoo ignored the fundamental principles of access segregation, continuous security monitoring and related security processes.

Therefore, it’s a bit hard to believe that sensitive information related to these accounts remained safe. Moreover, even hashed passwords can be bruteforced and then leveraged by the attackers. Information like date of birth or answer to secret question(s) can be a universal door-opener for cybercriminals. Anyway, Yahoo has already learned a very hard lesson and served an example to others that cybersecurity is pivotal for digital business.”

Stephen Moore, chief security strategist at Exabeam

“Large-scale breaches like this have driven a greater focus on behavioural analytics over the last couple of years. This is because it can help combat attempts to exfiltrate data by notifying the security team when someone is doing something that is unusual and risky – even when that activity is out of context, both on an individual basis and compared to peers.

With behavioural analytics combined with machine learning, this actionable information should be available in a couple clicks; not after an extended period of time."

Story image
IFS names global partner award winners
Three organisations who operate in A/NZ have won global partner awards from the enterprise applications provider.More
Story image
Juniper Networks releases four new Wi-Fi 6 access point products
Juniper Networks says the new products are the first cloud-managed Wi-Fi 6 access points with integrated AI-driven automation and insight.More
Story image
Blaize debuts new AI Edge computing offerings
The Blaize Pathfinder and Xplorer platforms, coupled with the Blaize AI Software Suite, enable developers to utilise practical and commercially viable edge AI products across edge use cases and industries.More
Story image
Securing the enterprise network with Fortinet: Perimeter, core and edges
Jon McGettigan, Fortinet A/NZ Regional Director, discusses ‘core and edge’ network topology and explains why only fully-integrated security services can offer comprehensive protection.More
Link image
Driving cloud cost efficiency with performance monitoring
Cloud infrastructure sprawl sneaks up on organisations through a series of individual decisions that in aggregate become inefficient. Thomas Dittmer shares how performance monitoring helped TravelSupermarket reduce cloud costs by 50%More
Story image
10 cybersecurity risks to consider when transitioning back to the office
According to BSI, working from home (WFH) and working from office (WFO) scenarios should be applied by organisations interchangeably when reopening, with an aim to mitigate potential cybersecurity risks and ensure data privacy regulations are not violated.More