Yahoo parent company Oath, part of Verizon, announced this week that the August 2013 Yahoo breach, which the company had previously said impacted over a billion user accounts, actually affected all three billion Yahoo accounts existing in 2013.
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,” the company said.
The information exposed included names, email addresses, phone numbers, birthdates, hashed passwords, and in some cases, security questions and answers.
In a statement, Verizon CISO Chandra McMahon said the company is committed to the highest standards of accountability and transparency. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources,” she said.
The Yahoo breach serves as a strong reminder of the importance of security risk management — Joe Fantuzzi, CEO of RiskVision, told eSecurity Planet by email that Yahoo is now the unfortunate poster child for unexamined risk. “But while the media spotlight is fixated squarely on Yahoo, it’s far from the only enterprise that has consistently overlooked critical factors in its risk environment,” he said.
“While organizations like Yahoo are staffed by armies of security personnel, their risk environment is also incredibly complex and multifaceted, making it easy to overlook critical vulnerabilities if proper due diligence isn’t thoroughly conducted,” Fantuzzi added. “That complex risk environment is compounded by the fact that global enterprises like Yahoo with countless assets are naturally glaring targets for hackers.”
Webroot director of threat research David Kennerley said by email that the stolen data, combining email addresses and hashed passwords with security questions and answers, makes a potent package for identity theft. “The fact that the accounts were compromised for so long means that most of the damage would have already been done before the breach was even discovered,” he said.
“The reality of today’s news, coupled with the ongoing security failings at Equifax and many others, means we now without doubt have to accept that a good number of once trusted companies cannot keep our private data secure,” Kennerley added.
Gemalto vice president and CTO for data protection Jason Hart noted that the new announcement makes the 2013 Yahoo breach the largest of all time. “While it is ‘news’ that Yahoo is making another announcement about its 2013 breach, it should be more concerning that it’s taken almost four years to get to the bottom of a breach of this magnitude,” he said. “It speaks to the amount of work we in the security industry still need to do.”
The most important step companies can take in response, Hart said, is to take a data-centric view of threats, ensuring that the data itself is made useless to hackers. “And that entails better identity and access control techniques, foremost, multi-factor authentication and the use of encryption and key management to secure sensitive data,” he said. “Unfortunately, to date only four percent of breaches have been ‘secure breaches’ where encryption was used to render the stolen data useless.”
And Mimecast director of security product management Steve Malone said businesses should keep in mind that many users are likely to have re-used their Yahoo email password in the workplace. “Password reuse opens up critical business systems like Outlook Web Access to attackers, and once they have access to an internal mailbox, it’s trivial to phish internally and escalate privileges on the network,” he said.
“Organizations must look to implement multi-factor authentication on any business system exposed to the Internet in line with their broader cyber resilience strategy of protect, continue and recover,” Malone added.
Still, a recent OneLogin survey of more than 500 U.S.-based IT decision makers found that while 87 percent of respondents believe they have sufficient password protection policies in place, just 36 percent are using multi-factor authentication internally, and just 34 percent are using it to manage external access.
A quarter of respondents don’t require user passwords to meet minimum length requirements, and just 41 percent check employee passwords against common password lists.
Just 24 percent require users to change their passwords once a month or more frequently, and 54 percent require users to change passwords quarterly.
“Passwords alone are not enough to secure your company,” OneLogin CISO Alvaro Hoyos said in a statement. “Companies need to be more forward-thinking when it comes to identity and access management by enforcing strong passwords and using modern multi-factor authentication.”