Hack of Half a Billion Records Takes Shine Off Yahoo's Data Trove


Yahoo on Thursday disclosed that a data breach in late 2014 resulted in the theft of information from at least 500 million customer accounts.

Based on a recent investigation, it appears that state-sponsored hackers carried out the attack, the company said.

Account information compromised includes names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

Payment card and bank account information was not compromised, according to Yahoo. That information is stored on a system that was not affected by the breach.

Yahoo pointed to an increase in state-sponsored attacks on technology companies and noted that since late last year, it has informed about 10,000 users of suspicions that state-sponsored actors were targeting their accounts.

If the breach reports are true, they couldn't have come at a worse time for the company, which is preparing to sell its operating business to telecommunications giant Verizon for US$4.8 billion.

"Verizon certainly took on a calculated level of risk in acquiring Yahoo, particularly because of its massive user base," said Kevin Cunningham, president of SailPoint.

"The question of whether this breach will affect the sale price depends on how extensively [Verizon] performed due diligence on Yahoo's security controls," he told the E-Commerce Times.

"It's a perfect illustration of the fact that this due diligence should include not just network security controls, but also identity governance controls," Cunningham continued, "because as we've seen with LinkedIn, Dropbox and countless others, breaches very often result from compromised employee credentials."

With a data breach of this size, tremendous risk is created for an acquisition partner, noted Erik Knight, CEO of SimpleWan.

"There's going to be a ton of issues here that could drastically reduce the value of Yahoo," he told the E-Commerce Times.

Verizon on Thursday acknowledged that it had been notified of Yahoo's security incident, but had limited information and understanding of its impact.

The company would consider its interests -- including those of its customers, shareholders and related communities -- as the investigation proceeded, it said.

Yahoo encouraged its users to take precautions, such as changing passwords and security questions, to protect themselves from malicious activity.

The company recently has introduced new tools to help safeguard customer security.

"If you're a Yahoo user, over the last several years you will have experienced additional security measures on your accounts," noted Michael Harris, chief marketing officer at Guidance Software.

Those measures include a requirement to change passwords on a regular basis, and mobile alerts when Yahoo detects a login from a new device.

"These improvements will help mitigate the impact of this breach," Harris told the E-Commerce Times.

Yahoo also introduced the Yahoo Account Key last year, which is similar to the two-factor authentication systems used by some online services.

The problem with security offerings like 2FA is that people don't take advantage of them.

"I doubt many people have opted in for it. I don't know many people outside the security industry that enable things like 2FA," said Prevoty CTO Kunal Anand of Yahoo Account Key.

"The idea sounds great, but not many people do that," he told the E-Commerce Times.

"It's good cyberhygiene, but I should eat more vegetables, too," quipped Cameron Camp, a senior researcher at Eset.

"Whenever something is opt-in, that usually means a slower rate of adoption," he told the E-Commerce Times.

While it remains to be seen what impact this data breach will have on Yahoo, one very likely consequence is a loss of trust among its users, said Ebba Blitz, CEO of Alertsec.

Nearly one in three survey participants said it would take them several months to begin trusting a company following a data breach, the company found.

"Our research demonstrates just how difficult it will be for Yahoo's brand to recover from this breach," Blitz told the E-Commerce Times.

"Customers who are affected by data breaches suffer a significant loss of trust, and this is particularly true of men," he pointed out.

Twenty-two percent of participants said it would only take them a month to forgive, but 17 percent of men and 11 percent of women said their trust would be permanently lost. Men were more likely to switch to a competitor following a data breach than women.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Sleep Number it bed

    You can track sleep with a number of fitness trackers and smartwatches, but Sleep Number is getting right to the heart of the matter—your bed.The company's it bed features built-in sensors to monitor sleep quality, which you can view on an accompanying app.
  • 5300c769af79e

    How to Build a Security Operations Center (on a Budget)

    Download This eBook provides an in-depth look at how organizations with limited resources can set up a successful operations center for monitoring, detecting, containing, and remediating IT threats across applications, devices, systems, networks, and locations.The chapters you'll read focus on:- The roles and responsibilities involved in a security operations team- The key processes you'll need to build a security operations center- The essential security monitoring tools needed for a fully functional security operations center- How threat intelligence is used in a security operations center- Real world examples of how organizations have used AlienVault USM to power their security operations centerFor many organizations with limited resources (time, staff and budget), building a SOC supported by multiple monitoring technologies and real-time threat updates seems like a daunting task.
  • 5300c769af79e

    Remember ADW Launcher? It Just Got Its First Major Update in Years to V2.0

    The last time I wrote about ADW Launcher was in October of 2012, where I said it had returned from the dead.That’s right, ADW Launcher or ADWLauncher or ADW.
  • 5300c769af79e

    Verizon to Handle Android Updates for its Google Pixels

    If you buy your Pixel through Verizon, however, it might be business as usual when it comes to Android updates.A Google spokesman confirmed to PCMag that Verizon will handle Android update rollouts for Pixel phones on its network.