Yahoo revealed on 14 December a new breach of its systems that it had not disclosed before. They say that someone stolen information about one billion accounts! For each person affected, that means bad actors now have their names, email addresses, date of birth, and telephone numbers. Also stolen are encrypted passwords for each account, as well as security questions used to validate users who want to recover passwords they have forgotten.
This breach, which took place in 2014, affects more people than any other hack attack in history that we know of. And it’s hard to imagine a bigger scope than this: a billion people, originating surely from most of the countries on earth. For populous and tech-savvy countries such as India, it means many millions of ordinary citizens are now at greater risk than they knew. What risk? Well, for folks who re-use passwords, it might mean that the bad actors who stole their Yahoo account information may have the username and password to log into our bank accounts and steal money. Even though we are assured the passwords and encrypted, the algorithm used (MD5) is weak, and the stolen passwords likely can be cracked (recovered).This breach may therefore also enable Internet impersonation on a large scale.
The best steps to recover at this point are to log in to Yahoo and change passwords and security questions. Then, if you are going to continue using Yahoo, consider adding their new “two-factor” authentication method called “Yahoo Account Key”. (It employs your smart phone as a second stage to the login process.) Make sure you never re-use passwords from one website to the other. Finally, considering buying a password manager app to choose and remember all your passwords for you. You’ll be able to use differing, more complex passwords that way.
As far as the impact for Yahoo, one really has to wonder at this point how much they can possibly care about security. This breach just announced is different, they say, than the one they announced just a few weeks ago on September 22nd, where they told us that 500 million accounts were affected — the largest loss ever, at the time. There was a third big problem tucked away in the September 22nd disclosure: the use of forged authentication cookies by a “nation-state” operator. This means that attackers in some cases won’t need passwords at all to login to Yahoo as you — the attackers may be able to create a cookie on your phone or laptop that makes it appear to Yahoo as if you previously did supply your password. It’s already happened to some victims, Yahoo has revealed, although we don’t know how many accounts have been broken into this way.
Surely this soiled reputation must decrease Yahoo’s worth as Verizon considers whether to buy their digital operations, and for how much. This new disclosure seems to indicate wider security issues inside Yahoo’s network. After all, Yahoo says it does not know who did it, and is not sure they are gone from the network. What more has gone wrong that we have not heard of yet? That is one of the questions one would expect investors and shareholders to be asking.
(A cyber security practitioner and thought leader for over 25 years, Mark Graff is the Founder and CEO at Tellagraff, LLC. Graff is a seasoned Chief Information Security Officer, having filled that role for NASDAQ for three years and Lawrence Livermore National Laboratory for nine.)