Cyber security experts respond to Yahoo breach

US multinational tech giant Yahoo revealed on September 22 that hackers, which it believes were state-sponsored, had stolen information from around 500m users in what appears to be the largest publicly-disclosed cyber-breach in history.

Personal information accessed in the breach, which apparently occurred in 2014 but had not previously been made public, included names, e-mail addresses and “unencrypted security questions and answers”.

Cybersecurity experts offered commentaries in response to the news:

Stephen Love, security practice lead-EMEA, Insight UK:

“Yahoo is once again in the spotlight for a breach that has been named the largest in history, affecting about 500m users. This is huge and as the public become more aware of the worth their personal details hold, the bigger the impact it will have on the organisation. It is yet another warning of the necessity for every organisation – no matter how large or small – to have a robust security approach to its data management.

“However, communication should be the first priority of reacting to such a breach. Telling customers about a breach that happened in 2014, isn’t acceptable. Even more so with the European Union’s (EU) General Data Protection Regulation (GDPR) only two years from implementation, which will force organisations that face breaches of this nature to notify customers within 72 hours. If they don’t, they will face massive fines that damage the financial stability of the company and this, coupled with the reputational damage, could see the business facing bankruptcy.

“Planning ahead is the best course of action for any business. 2018 might seem a way off, but with just over three months until 2017 begins, before we know it, the new legislation will come into effect. Addressing the EU GDPR now will allow businesses to budget and prepare, taking manageable steps to ensure a compliant business environment that will help protect the company from the potential fallout of non-compliancy.”

Kurt Baumgartner, principal security researcher, Kaspersky Lab:

“These types of breaches highlight why all companies need to be cybersecurity leaders, implementing best practices and available security technologies, such as the delay in encrypting instant messaging (IM) communications, implementing https for its web properties and more.

“Of course, this situation reminds us of Google’s Aurora advanced persistent threats (APT) incident in 2009, announced in 2010. When we compare these two breaches, it is incredible that it’s 2016 and users are only being notified years after a major breach like this one, and only after another organisation made the issue public. While it is important to note that Yahoo! provides a list of account “meta-information” that appears to have been stolen and leaves out content of email accounts, the credential knowledge based challenge information and passwords were stolen as well. So, passwords could have been reset on accounts without customers carefully checking password resets and access. And, the knowledge based challenge information used to reset passwords may have been re-used to attack other web services the customer may be using.

“In the meantime, if you are using a Yahoo! email account, it’s a good idea to set up a “Yahoo account key,” which removes the need to enter passwords and enables a level of two factor authentication.

“Do not fall for social engineering schemes that will follow this incident. Everyone should be aware that any breach notice that Yahoo! emails out will go only to their email service users, and it will not provide links to click on, include any attachments, and will NOT ask for personal information.”


Related reading

Dominic Mac