‘Unfathomable’ and ‘unprecedented’ are just some of the adjectives being used by security pros today, having woken up to the news this morning of a second Yahoo mega data breach.
A second Yahoo mega data breach dating back to 2013 has been disclosed by the company, with a staggering one billion user accounts reportedly compromised in the attack. In what is one of the biggest breaches ever recorded, experts and consumers alike are asking why this was allowed to happen not just once, but twice. The size of the breach is also, as experts describe, ‘unfathomable, which raises even more questions about the security practices at the tech giant.
This latest Yahoo mega data breach, combined with the already disclosed 2014 breach, takes the number of compromised accounts up to 1.5 billion – so what should those 1.5 billion do in the aftermath of this latest breach?
Reaching out to security experts, CBR runs down a list of must-do expert advice for those who think they could be affected by the Yahoo mega data breach – both of them.
Act Now – Right Now
Adam Levin, founder and chairman of IDT911
“It stretches the imagination how many Yahoo users’ personal information has been compromised – apparently the company lacked the process and controls to identify and manage an extremely serious security breach. Logins coupled with phone numbers, birth dates and security questions provide hackers an ocean for phishing attacks. Given that this, the largest hack of all time, took place over three years ago, the damage may already have been done, but Yahoo users should immediately change passwords and security questions as well as enable 2-factor authentication.”
Passwords Are Dead – Use Multi-Factor Authentication
Ed Macnair, CEO, CensorNet
“While one would hope that most Yahoo account holders changed their passwords earlier in the year, relying on that as a method of dealing with lost details can’t go on much longer. It should have become clear to almost everyone that the password / username method is broken and to stop events like this we need a new system in place. The tools, like multi-factor authentication, already exist, we now need to force their use and make it harder for hackers to get what they want. This situation will carry on repeating itself until we make a change.”
Take extra precautions
Jacob Ginsberg, Senior Director at Echoworx
The size of this breach is quite unprecedented. What makes it even more disturbing is the fact that it went unnoticed at Yahoo! People – and by people I think we can all agree we mean the average person and not just the “tech savvy” – need to take extra precautions and need to be taking their online security into their own hands. Perhaps if Yahoo! had spent more of their development efforts on security and less effort on developing tools to allow governments to access people’s information, we would not be here – again.
Beware of Phishing
Alex Mathews, Lead Security Evangelist at Positive Technologies
“Yahoo must feel like it has a giant target on its back at the moment. Given its years of operation it has amassed a vast trove of people’s personal data, which seemingly draws hackers like moths to a flame. As the wholesale trading of stolen personal data continues online, the value of such a massive database of names, email addresses, phone numbers and passwords will have commanded a good price on dark online markets, especially when they were fresh.
“Forensic analysis will eventually determine the entry point for the attacker, but the fact it is not currently known will probably be causing much angst. It is only once this is found and fixed, that the brand can begin to pick up the pieces and truly reassure users.
“Yahoo users should be aware of increased phishing attempts, as well as being wary of unsolicited texts and phone calls, given that mobile numbers were stolen. Now would be a great time to change passwords across the board, on everything from social media to other online services.”
Guard Your Email – The Gateway to Your Digital Footprint
Ryan Kalember, SVP of cybersecurity strategy at Proofpoint
“It’s critical that consumers and business alike realize that email credentials can be the gateway to more sensitive information than nearly anything else. News of the additional Yahoo breach is yet another indication that email accounts are a prime target among criminals. Email is the top way cybercriminals are breaking into the world’s most sophisticated organizations and they target personal inboxes and account information with the same aggressiveness.
“Email is a necessity in our digital society and attackers are constantly working to exploit it. When a hacker gets into your email account, they can also steal sensitive information like your name, date of birth, past passwords, and even your security questions and answers. The breach provides a direct link between an attacker and a victim.
“If your personal email is compromised, and an attacker assumes your identity, that exposes all of your contacts to an immediate threat and allow the attacker to reset all of your other account passwords. By taking advantage of email accounts, hackers are exploiting the digital trust that exists between the email sender and receiver. This trust is the basis for how our digital society operates. Whether it is personal or enterprise emails, the result is the same, trust is broken and information is at risk.
Guard Your Password – Your Online Identity is Always At Risk
Paul Calatayud, CTO FireMon:
“For all of us, this breach is a reminder that your online identities are always at risk. There is a lot of talk about making sure you have strong passwords but when those passwords are exposed in a breach, there is a different issue that arises – what else can the hackers do with knowledge of your password?
“Other websites may share passwords because you have decided to remember one long strong password that is reused across other accounts.
“Worse yet, your username is often the email account which is easily guessed or known to the hacker.
“The best way to mitigate the impact of the Yahoo breach would be to ensure you use unique passwords across your web accounts. That way any breach does not expose additional data or information contained in other systems.
This article is from the CBROnline archive: some formatting and images may not be present.