Freely subscribe to our NEWSLETTER

Ryan Wilk, VP at NuData Security: “Once again, more news of a big breach hits the wire. A blockbuster breach, with staggering size and scope which has actually been baking since 2014 when the original breach occurred and was reported on. Still, 500 million records lost will likely make this one of the biggest on record. Sadly, while that number may be what Yahoo is aware of today, we can probably expect this number to rise. With this attack of a half a billion user accounts, we are likely to see well over a billion accounts breached this year alone compared to about 800 million in 2015.
Clearly, hacks are getting bigger and more impactful. Like a snowball gaining speed and momentum hacks are gaining in scope, sophistication and impact. All while feeding a fraud engine that leads to identity theft, account fraud and a myriad of other crimes that can be stopped.

This breach will rattle consumers badly. First, we all have to start accepting that breaches are an unhappy fact of life and our personal records are being shared on the dark web – sometimes years after the breach occurs. This one, in particular, hits everyone hard. Yahoo has a lot of long standing and trusted accounts. After all, who doesn’t have a Yahoo account? Even an old one sitting around might have emails and other personal information in it that could be used by a hacker later on.
You’ll hear a lot in the next few days about changing your password, and yes, while it’s good practice to change your usernames and passwords often and make them complex, it’s just not enough on its own. Data breaches continue to build upon each other, with each breach adding additional intelligence to achieving the goal of complete profiles of identities for a large segment of our population up for sale on the dark web. Access to this data in particular, can allow the bad actors to reset passwords on banking and e-tailer sites linked to Yahoo accounts, or use the data to apply for a new credit card, or even more frighteningly, gain access to your work credentials, where the damage could be colossal.

Where credit card fraud was all the rage a couple years ago, it is this kind of account takeover and new account fraud that is on the painful and dramatic rise. We saw, in our own database of 81 billion of behavioural events annually, a 10% month-over-month increase in new account fraud.

There are behaviour-based methods that online merchants, banks, and providers, are going to need to deploy that will help keep consumer accounts safe, even if valid credentials are presented. These solutions give true insight into who sits behind the device - and provide near-perfect trust that it is the consumer, and not a fraudster using our identity information online. You can and should start expecting these multi-behaviour based solutions from those providers that protect your online accounts.
Knowing that we haven’t been able to stop these breaches from happening, and accepting the fact that much of our identity information is already on the dark web, is the first step that responsible providers need to take. The second step is putting into place security systems designed to protect their customers from the nefarious use of these stolen identities. And systems that stop these fraudsters in a completely passive and non–intrusive way to us, the consumers. The only way to achieve this is by truly being able to identify the identity of the user behind the device.

It’s time to make these breaches irrelevant by devaluing the data that hackers like “Peace” use. So even if they keep trying to steal “pieces" of our data, the data can become irrelevant, because no matter how sophisticated they get, they can’t steal our behaviour!”

Richard Cassidy, UK cyber security evangelist at Alert Logic:
"Overall this is a considerable data breach, especially if initial reports citing circa 500million records leaked, are indeed accurate. Furthermore, the data seems to have already been monetised (in part) and firmly distributed via various cybercriminal networks. It is indeed very unfortunate; service providers such as Yahoo will always be a high-value target for bad actor groups on the DarkWeb, especially those looking to prove credibility and stamp their name in the data heist record books (per say). Naturally such a breach will cause concern at board level for those involved in the M&A process and eventual purchase of Yahoo; with IT systems to be integrated between both parties, this breach will add a considerable delay to convergence efforts between both parties’ infrastructures and ultimately affect operational capability. Furthermore, the knock on effect financially as worried shareholders seek to exit to safer stocks, will create short to medium term fiscal unrest, however, it’s how Yahoo now communicate the details of the breach, helping users (who have been identified as having had their data breached) put in place expedited account security measures, not just at Yahoo, but across all personal accounts where passwords and/or usernames may be similarly used.

Without a doubt however, anyone who has ever signed up to Yahoo services, shouldn’t wait to hear from Yahoo on whether they may have been directly affected (or not), steps should be taken immediately to reset shared passwords across other online accounts and monitor financial transactions closely for signs of nefarious activity. Unfortunately, stopping every threat is a panacea that many argue is impossible to achieve. Regardless of organisation size or security capabilities in-house, there needs to be a paradigm shift in how we view susceptibility to threats and how we architect our current security framework around threat detection and early warning of nefarious activity. Relying on legacy layered security solutions, with no correlation on activity from application to network layer, can leave organisations at greater risk of a data breach. It’s herein that we need to shift our thinking and architecture; organisations need to assess their risk status to data breaches, understand the market they operate in, their competitors and of course the threat vectors most likely to be seen, architecting security capabilities that reduce that risk profile and enable better trust relationships between 3rd parties and customers, all with the aim of keeping key data security assets as protected as current technology capabilities permit.

Furthermore, reliance on automated security scanning functions can lead to key indicators of compromise going undetected; the human expert analysis approach ensures a level of assurance around protection from even the most advanced malware threats or zero day activity that may be targeted against the organisation.
If initial reports that Yahoo experienced this particular breach back in 2014, and its only now coming to light, then this raises serious concerns for consumers of Yahoo products or services, and questions need to be answered on why external communication has been withheld for so long. Overall what has to be learned from this event, is that data breaches can (and do) occur across organizations of all types and sizes. Well defined incident response plans that communicate the details of the breach in an effective, directed and reassuring manner both internally and externally, is the key to maintaining consumer and market confidence, not least providing users who have been affected, with the best possible chance of containing further breaches to other online accounts where passwords or usernames may have been similarly used.”

Ryan Kalember, SVP, cyber security strategy Proofpoint:
“Your email credentials are the single most sensitive piece of information you have. News of the Yahoo breach is yet another indication that email accounts are a prime target among criminals. Email is the top way cybercriminals are breaking into the world’s most sophisticated organizations and they target personal inboxes with the same aggressiveness.
Email is a necessity in our digital society and attackers are constantly working to exploit it. It provides a direct link between an attacker and a victim. If your personal email is compromised, and an attacker assumes your identity, that exposes all of your contacts to an immediate threat and allow the attacker to reset all of your other account passwords. By taking advantage of email accounts, hackers are exploiting the digital trust that exists between the email sender and receiver. This trust is the basis for how our digital society operates. Whether it is personal or enterprise emails, the result is the same, trust is broken and information is at risk.”

Leo Taddeo, CSO at Cryptzone:
"The loss of unencrypted security questions and answers creates a risk for enterprises that rely on this technique to enhance security for traditional credentials. The best defence is to deploy access controls that examine multiple user attributes before allowing access. This type of "digital identity" makes it much harder for a hacker to take advantage of the type of information lost by Yahoo."
Gavin Millard, EMEA Technical Director, Tenable Network Security:
"With the complex, data rich, IT environments organisations run today, there is always a high possibility of yet another breach with customer data making its way onto the dark web. As we continue to add more technologies to our networks and as attackers become more sophisticated, it’s important that organisations have a rapid process for determining the impact of the breach and a robust approach in addressing the ensuing post-breach fallout.

If you have a Yahoo! account and have re-used the password anywhere, it would be wise to create new ones now to stop any further personal data from being exposed. To reduce the impact from the next inevitable breach of this type, users should protect themselves by having individual passwords per service rather than the one or two most use now. Modern browsers have the ability to generate and store complex passwords, as do the many password managers available.
One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted. Most users would have used valid responses to questions like mother’s maiden name, first car, and first pet, which could lead to further exploitation and account misuse."

Alex Mathews, EMEA Technical Manager, Positive Technologies:
"Almost every year we see reports of "millions of leaked accounts of Yahoo / Hotmail / Gmail / iTunes / etc". We would even suspect that some of this news is "designed" especially for certain events. Yahoo’s sale to Verizon sounds like an interesting occasion to make such a brouhaha, but it would appear that this time the allegations were founded.

The elephant in the room is Yahoo’s admission that ’encrypted or unencrypted security questions and answers’ might be amongst the hackers haul. If the investigation determines that this extremely sensitive information were stored unencrypted then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.

Any Yahoo customers would be prudent to change their passwords - although, given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age.

Despite many warnings, millions of users will still use very simple passwords like 1111, "qwerty", or their own names. According to Positive Technologies research, the password "123456" is quite popular even among corporative network administrators: it was used in 30% of corporate systems studied in 2014. Hackers use the dictionaries of these popular passwords to bruteforce the user accounts so perhaps now is the time to employ a little creativity.

Yahoo! does offer additional protection in the form of Account Key and it would be prudent for any users that decide to continue using its service employ this as a matter of urgency."

Troy Gill, Manager of Security Research at AppRiver:
"The fact that Yahoo has now confirmed the breach is no surprise - the scale however is. The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers’ data, and I don’t think we’ve seen the last confession yet. In fact as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be both more frequent and by all likelihood more impactful.

Yahoo users should be particularly concerned that the stolen information includes security questions and answers as this could leave them open to far more than just their Yahoo email account being compromised. It raises the potential for accessing other accounts, including those with sensitive personal and financial information. Identity theft is a very valid concern for all the victims.

I would be interested to know the findings by Yahoo when they allegedly investigated the 200million records that were for sale on the dark web. Where those able to be confirmed as valid? If so why did it take this long to inform users of the breach and why were no forced password resets issued prior?

Keeping customers’ data secure should be a top priority for all enterprises. A determined hacker can be quite difficult to detect but organizations need to commit to hardening themselves to these types of attacks. This breach serves as a stark warning to all organizations that no company is too big or too small a target.

Yahoo users should change their passwords immediately and monitor activity closely. Also, they need to make sure they are utilizing a new password that is complex, lengthy and most importantly “unique”. Since we know that password reuse across multiple accounts is very common, Yahoo users need to also ensure that they are not using the same password [as their Yahoo account} on other accounts as well."
Stephen Gates, chief research intelligence analyst at NSFOCUS:
"Although the breach was originally reported back in July of 2012, the size of the breach apparently was incorrectly reported. In 2012, the number of potentially compromised user credentials was estimated to be around 450 thousand. However, the hacker known as Peace is claiming to have up to 500 million user credentials he/she is now attempting to sell online. That’s a huge difference.

Yahoo users, who have not changed their passwords since then, really need to do so now. In addition, if users have used the same username/password combination on any other online accounts, they’re at risk of hackers gaining access to those other online accounts; if hackers can determine what other online accounts a user may have.

The Verizon purchase apparently comes with some “baggage” that they most likely do not want to be associated with. The likelihood of this beach affecting the purchase is however, quite small. The responsible thing to do it to force all users to update their passwords; however, that action most likely will not be well received by Yahoo’s user community for a breach that happened over four years ago.
Although the number of breaches on this scale have been reduced over the years, they are far from over. Today, organisations of all sizes are taking measures to ensure a breach does not happen to them. Unfortunately, it has not stopped hackers from succeeding on a global scale.

Enterprises must first assess what hackers would likely want to steal from them. Once identified, enterprises must use all measures at their disposal to protect that data – at all costs. If an organisation does not practice due diligence, then they can be accused of alleged negligence. Being found guilty of negligence is never good for anyone’s career.

You must protect your data. It is what hackers are after. This is all about monetary gain, and people will go to almost any length to achieve it. Hacker’s understand how to erode your defenses, consume your resources, control your systems, and eventually steal your data. Taking an Intelligent Hybrid Security approach will help protect what hackers are after."

David Gibson, VP of strategy and market development at Varonis:
“Hopefully Yahoo! will force password resets for all its users, even ones that it believes have not been affected. Dropbox learned this lesson the hard way. Users should also reset passwords for other accounts that share the same password as their Yahoo account and consider using a password manager going forward.
It’s hard to say for sure whether the breach will upset the pending acquisition by Verizon—publishers of the renowned yearly Data Breach Investigation Report—but it certainly could. If witnessing a data breach capsizes a $4.8 billion acquisition doesn’t shock CEOs and CSOs into investing more in security, what will?
There will certainly be financial repercussions for Yahoo!, if not by way of fines and lawsuits, certainly in terms of time and effort to recover, perform an investigation, and further invest in bolstering security.

Breaches of this magnitude won’t slow until incentives are re-aligned. Dark Reading released a report recently stating that 80% of CSOs cite a lack of funding as being the #1 barrier preventing them from addressing cybersecurity challenges and 51% of CSOs cite a lack of available cybersecurity pros. The two go hand-in-hand. Until organisations are willing to invest more in security technology and pay a higher price tag to attract top security talent, they can expect similar results.
Organisations need to invest more in cybersecurity teams, follow security best practices and make security a top priority if they want to stop hacks on this scale.

The same lessons we learned from Target, Sony, OPM, etc. apply to Yahoo. It’s just too easy for hackers to get their hands on critical data.
Businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs.

When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.
Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”

Gubi Singh, Chief Operating Officer at Redscan:
“There is never a good time to be hit by a cyber-attack but the reported breach, appears to have happened at the worst possible moment for Yahoo and that’s unlikely to be a coincidence.
Criminals will spend months planning and implementing attacks on companies of this size, with attackers biding their time to avoid detection.
For companies undergoing a merger or acquisition, a comprehensive cyber security assessment can reduce risk for all parties involved and has become a key part of the due diligence process.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Every single Yahoo user should be turning on Yahoo’s two factor authentication immediately. Yahoo has been prompting users to do this for months and most have ignored the call for extra security. If a headline like this can’t motivate them to take Yahoo’s good advice and use the extra security they’re offering, I’m not sure what could.
Many breach headlines evoke vague awareness – a company you’ve heard of, or something that sounds important. Yahoo is Internet royalty. The message everyone should take from this is truly anyone can be cracked. Apparently it’s a state level actor, which isn’t surprising the amount of effort and resources it likely took to break security at one of the Internet’s biggest names.”

Amichai Shulman, CTO and Co-Founder of Imperva:
"The ease of getting tons of stolen credentials, with the fact that users will always continue to reuse passwords simply because they are human, make brute force attacks more effective than ever and force application providers to take proper measures to protect their users.
Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other.
To prevent brute force attacks, security officers should not rely on password policies only, but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treat with caution logins from unexpected countries and anonymous sources, and compare login data to popular passwords and stolen credentials.
As we point out in our blog, there is a concerning pattern of breaches which occurred in 2012, but their severity was underestimated and under reported. Organisations must not become complacent in the face of 2016’s lack of mega breaches. As it turns out, those who don’t carefully monitor their networks today may well regret it in 2020.”

Michael Patterson, CEO of Plixer:
“It is interesting that - Peace – the alleged hacker who claimed to have access to 200 million user accounts and was selling them online just prior to the Verizon purchase of Yahoo. It may be just a hack or someone with a hidden agenda that designed the timing to try and disrupt a billion dollar transaction. Yahoo has been investigating this hack since August and should have immediately asked users to change their passwords while they look into the claims.”

Michael Callahan, VP at FireMon:
“Given the size of Yahoo and the scale of this data breach, it is a good reminder that attackers are just waiting for organisations to slip up in their security measures before they seize the opportunity with both hands. Yahoo no doubt has a huge, complex array of security technology in place to try and prevent cyber attacks and the leaking of any customer data. The trouble is, this complexity is becoming increasingly common in organisations that seek to do the “right” thing by bolstering security with more solutions. But without the right intelligent tools to help make sense of the technology, policies and access permissions under one umbrella, it becomes almost impossible to manage. Therefore, we keep seeing these types of breaches happening and will keep seeing them happen until proper security management is addressed.”

Mark James, Security Specialist at ESET:
“500million accounts is huge by any standards, we sometimes get a little blasé as the numbers get higher but let’s not make any mistakes here, that’s a lot of customers’ information stolen here.
Data breaches are on the up, it’s almost a daily occurrence but the damage it causes is massive. The data may be used for immediate financial gain or used later along with more information to enable identity theft or phishing attacks either way it could be very damaging for the victim.
As always in these cases it’s the end user that ultimately pays the price, of course from a PR point of view it’s never good for the company that was breached but for the individual it could have long term financial implications if things go badly wrong. It could also mean accounts may be temporally unavailable and for some, emails are a lifeline. Changing email address if you move to another provider is not as easy as it sounds because of the nature of how email works you still need access to the old email in case of older websites that may require password resets or account recovery with the original email address.
As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data. Because the ramifications of data breaches are often felt in the future they will have to consider the implications of any customers who can prove identity issues caused as a result of this particular breach if they are the new owners.
Al though it seems an easy task, stopping data breaches is not as easy as it sounds. Doing all you possibly can to stop it in the first place, ensuring that if it does happen then the data is stored in such a way it’s impossible to do anything with it and having a good contingency plan in case it happens is what organisations need to be doing.

What other businesses can learn from this is, where possible, being proactive with your user base; the users need to be kept in the loop. If there has been a breach then find out how, where and why. Ensure your systems are now clean if malware is involved, reset passwords, inform your users and keep them up-to-date. We all understand data breaches are a factor of modern day computing but the impact can be cushioned with the correct flow of information.”

Brian Spector, CEO of MIRACL: “This is a modern-day mega breach, and demonstrates how data theft and identity fraud is a multi-billion dollar business on the dark Web.

It is still too early for more detailed analysis, but the attack vectors commonly used to initialize attacks of this magnitude are to gain access by stealing employee or insider credentials. The credentials are still all too often simply user name and password. What the attacker knows: when a password, irrelevant of how complex the password may be, is successfully stolen, the attacker can get access to internal systems and work their way to sensitive information - and steal it all.

The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today. By contrast, new, secure methods of multi-factor authentication can provide much stronger security, and make database hacks, password reuse, browser attacks and social engineering a thing of the past.”