Hack of Half a Billion Records Takes Shine Off Yahoo's Data Trove


Yahoo on Thursday disclosed that a data breach in late 2014 resulted in the theft of information from at least 500 million customer accounts.

Based on a recent investigation, it appears that state-sponsored hackers carried out the attack, the company said.

Account information compromised includes names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

Payment card and bank account information was not compromised, according to Yahoo. That information is stored on a system that was not affected by the breach.

Yahoo pointed to an increase in state-sponsored attacks on technology companies and noted that since late last year, it has informed about 10,000 users of suspicions that state-sponsored actors were targeting their accounts.

If the breach reports are true, they couldn't have come at a worse time for the company, which is preparing to sell its operating business to telecommunications giant Verizon for US$4.8 billion.

"Verizon certainly took on a calculated level of risk in acquiring Yahoo, particularly because of its massive user base," said Kevin Cunningham, president of SailPoint.

"The question of whether this breach will affect the sale price depends on how extensively [Verizon] performed due diligence on Yahoo's security controls," he told the E-Commerce Times.

"It's a perfect illustration of the fact that this due diligence should include not just network security controls, but also identity governance controls," Cunningham continued, "because as we've seen with LinkedIn, Dropbox and countless others, breaches very often result from compromised employee credentials."

With a data breach of this size, tremendous risk is created for an acquisition partner, noted Erik Knight, CEO of SimpleWan.

"There's going to be a ton of issues here that could drastically reduce the value of Yahoo," he told the E-Commerce Times.

Verizon on Thursday acknowledged that it had been notified of Yahoo's security incident, but had limited information and understanding of its impact.

The company would consider its interests -- including those of its customers, shareholders and related communities -- as the investigation proceeded, it said.

Yahoo encouraged its users to take precautions, such as changing passwords and security questions, to protect themselves from malicious activity.

The company recently has introduced new tools to help safeguard customer security.

"If you're a Yahoo user, over the last several years you will have experienced additional security measures on your accounts," noted Michael Harris, chief marketing officer at Guidance Software.

Those measures include a requirement to change passwords on a regular basis, and mobile alerts when Yahoo detects a login from a new device.

"These improvements will help mitigate the impact of this breach," Harris told the E-Commerce Times.

Yahoo also introduced the Yahoo Account Key last year, which is similar to the two-factor authentication systems used by some online services.

The problem with security offerings like 2FA is that people don't take advantage of them.

"I doubt many people have opted in for it. I don't know many people outside the security industry that enable things like 2FA," said Prevoty CTO Kunal Anand of Yahoo Account Key.

"The idea sounds great, but not many people do that," he told the E-Commerce Times.

"It's good cyberhygiene, but I should eat more vegetables, too," quipped Cameron Camp, a senior researcher at Eset.

"Whenever something is opt-in, that usually means a slower rate of adoption," he told the E-Commerce Times.

While it remains to be seen what impact this data breach will have on Yahoo, one very likely consequence is a loss of trust among its users, said Ebba Blitz, CEO of Alertsec.

Nearly one in three survey participants said it would take them several months to begin trusting a company following a data breach, the company found.

"Our research demonstrates just how difficult it will be for Yahoo's brand to recover from this breach," Blitz told the E-Commerce Times.

"Customers who are affected by data breaches suffer a significant loss of trust, and this is particularly true of men," he pointed out.

Twenty-two percent of participants said it would only take them a month to forgive, but 17 percent of men and 11 percent of women said their trust would be permanently lost. Men were more likely to switch to a competitor following a data breach than women.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Bluetooth 5 Bringing Double Range, Quadruple Speed

    This session will provide you with best practices for introducing analytics concepts to the busine Next week marks the formal debut of Bluetooth 5, which will double the range and quadruple the speed of the wireless standard.The goal of these improvements is to accelerate industries such as industrial automation, smart infrastructure, smart homes, and location-based services.
  • 5300c769af79e

    Apple Won't Put Its Money Where Trump's Mouth Is

    The company has butted heads with the Trump campaign in recent months, with the candidate blasting Apple's overseas manufacturing practices.will not be providing financial or technical support to either convention in 2016," spokesperson Emily Horn told the E-Commerce Times.
  • 5300c769af79e

    CBS All Access Lands on Xbox One

    99 a month, subscribers can delve into more than 7,500 on-demand episodes, past and present, and stream local CBS stations live in various US markets.Upcoming shows include Star Trek: Discovery, a spin-off of The Good Wife, and a new digital edition of Big Brother.
  • 5300c769af79e

    Twitter Extends 'Mute' Option to Notifications

    First, it will extend the "mute" feature it rolled out in 2014 to notifications.Folks can block keywords, phrases, and entire conversations from reaching their notification tab, similar to the way Instagram lets users ban specific words in their comments section.