Yahoo 2014 Security Breach Exposes the Harsh Reality of Internet Security
Yahoo suffered a major security breach, affecting hundreds of millions of users – but we only found out about it 2 years later. This incident, combined with the 2012 DropBox breach, demonstrates the harsh reality of internet security: most breaches either go undetected, or unreported, for years.
The background to Yahoo’s security breach
Yahoo is the latest major player to reveal a previous hacking security breach and theft of user data. What the company describes as a “state-sponsored actor” stole 500 million user details in 2014. Yahoo has not yet revealed which state is under suspicion, how they came to this conclusion, or the mechanism he used to breach security.
The Recode website was first to publish the story on Sep 22 and later that day Yahoo confirmed the news on its Tumblr site. It follows hot on the heels of the recent Dropbox revelation that almost 70 million encrypted user access credentials were hacked and stolen in 2012. Dropbox has only now disclosed the extent of that breach. The Yahoo incident has implications for the proposed $4.8 billion Verizon takeover of Yahoo. Disgruntled users may launch a class action suit that could impact Yahoo’s balance sheet and depress the stock.
What happened?
The stolen data is reported to consist of passwords hashed using the bcrypt algorithm. The hacker also took user names and personal information, including birth dates, phone numbers, email addresses and both unencrypted and encrypted security questions and answers. A reputed cybercriminal named Peace offered the data for sale on an underground website, which brought the incident to light. He did not access more sensitive data such as bank and credit card details, which are stored in a different system.
What happens next?
Yahoo says they issued an alert email to all impacted users, prompting them to change any passwords that they have not amended since 2014. They also urge users to consider using a stronger authentication method than mere passwords. Yahoo also disabled all unencrypted security questions and answers.
Even though the stolen data is relatively innocuous in itself, it poses risks to users that are much greater than simply having their email accounts hacked. Criminals use this information to attempt other hacking attacks. They may also attempt to access an individual’s network of contacts for phishing and social engineering scams.
What can users do about it?
While Yahoo and other online service providers execute strenuous attempts to protect data, the lessons for us users are clear. We really do need to learn and utilize stronger account authentication measures. This self-discipline need not cost a penny but inertia holds us back.
There is still a large number of Internet users, including seasoned IT pros who should know better, who re-use the same favorite passwords over and over for multiple online accounts. Hackers know this all too well. They use known passwords to attempt to break into other accounts. This opens avenues for exploiting financial information and possible bank account or credit card fraud.
As well as using stronger passwords that free password generator services provide, we need to consider options such as two-step authentication. Many online services offer this in an effort to reduce and prevent unauthorized access and hacking. There are both free and paid password manager services that will store strong passwords that may be impossible to memorize. Many will automatically fill in the details when you visit a website and are asked to sign in.
Whichever option we choose to take, we must take action to improve our online protection. Break-ins like these will inevitably happen again despite the best efforts of the service providers. Doing nothing is no longer an option.