Search Security Tech Target, October 9, 2017; Willy Leichter comments on recent breach impact.
Mass amounts of Yahoo account data stolen but not discovered or reported for years
The number three billion, as in 3 billion users affected in a data breach, is getting close to half the entire world population (measured at 7.4 billion in 2016). What’s even more confounding is it took Yahoo three years to figure out it had been hacked back in 2013, and then almost another full year to correct its underestimation that it wasn’t “only” 1/3 (1 billion) of its user accounts that were affected, but all of them – the whole 3 billion (separate from the 500 million user breach in 2014). It boggles the mind and begs the question what kind of security system was Yahoo using where an attack could gain access and the process of stealing info of 3 billion accounts be underway for however long without setting off a single alarm or detectable action for years and years.
Information stolen included names, email addresses, phone numbers, birth dates, MD5-hashed passwords and for some, security questions and answers (encrypted or unencrypted). Yahoo assures it invalidated the unencrypted security questions and answers so they couldn’t be used by bad actors to get into user accounts.
You may recall that Verizon recently purchased Yahoo (through a subsidiary called Oath) and they were granted a $350 million discount due to the breach they then thought affected 1 billion users. Now they have a hack 3X larger than they thought to contend with.
It’s easy for users to feel they aren’t being properly taken care of. Nothing seems to have the guarantee of privacy any more. Not only is our personal information being drastically mishandled to the extent it can be stolen over months and years without any alarm bells going off, but those same months or years can go by before we are even informed about it.
Willy Leichter, vice president of marketing for Virsec Systems, an application security company based in San Jose, Calif., told SearchSecurity, "This news will add more fuel to fire for having legal standards on how quickly breach information is revealed and how much detail is required. As we've seen with the Equifax hearings, even conservatives are calling for legislation moving in the direction of the European GDPR."
As always, to protect your data in other accounts, among other steps, users are advised to change passwords and security questions, especially if you re-use the same questions/answers across various accounts.