Another Yahoo Data Breach – expert comments
December 2016 by Experts
Yahoo sent an email to its users this morning, informing them of yet another data breach. You might recall that just a few months ago, Yahoo lost more than 500 million records – supposedly the biggest hack of the year – but this latest incident has supposedly exposed at least a billion more user accounts. Possible stolen user account information may include “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers” according to the email.
Eldon Sprickerhoff, founder and chief security strategist of cyber security firm eSentire says: “The magnitude of this breach doesn’t just impact Yahoo account holders, it extends to anyone using web mail services, and drives home how critical two factor-authentication is when it comes to account security. We all have a role to play in the security of our own data. The same fate could be a reality for anyone not using two-factor authentication to secure their accounts.
In the Yahoo case, account passwords were hashed.. Think of it as a one-way encryption that can’t be decrypted. But, if you take every possible alphanumeric and punctuation combination, mix it with every possible seed, and feed it through the hash function, you end up with all possible hashed passwords. You can then do a reverse lookup and find the actual password. What this means, is that with standard password technology in place (like the kind used by Yahoo), hackers can easily identify user passwords. Two-factor authentication takes security one step further, eliminating the need for hashes, and the risks associated with hashes. It’s a feature that’s enabled by adding another form of identity verification to the account sign in process, like a phone number. It’s a simple step that provides significantly more protection to account holders. This breach reinforces the need for two-factor authentication on all user accounts, whether business or personal.
The greater risk with this particular breach is the countless other email accounts that could be impacted. Many Internet Service Providers (ISPs), like Rogers in Canada or Sky UK in the United Kingdom, chose not to create their own web mail system. Instead, they white-label Yahoo mail for their account holders. So, if you have a Rogers or Sky UK web mail account, it means that you actually have a Yahoo email account. Regardless, the safest route for all users is to update all passwords and ensure two-factor authentication is enabled, immediately.”
Additionally, J.Paul Haynes, CEO at eSentire says: “Any breach that involves personally identifiable (PII) information - like names, addresses, and user credentials - can haunt its victims for months or years. This information usually ends up on the dark web, where it’s cycled through buyers who can use that information to commit various forms of fraud. Hackers can also use PII to access other systems, particularly if the victim used similar username and password combinations for other accounts.”