The Yahoo hack is listed as the world’s largest data breach to date.
Yahoo has just confirmed that data from at least 500 million user accounts was stolen by a “state-sponsored actor” in late 2014.
Not only does the recent admission of a not so recent data breach raise many questions, it also comes at a particularly sensitive time for Yahoo as it looks to close a multi-billion dollar acquisition from Verizon by early next year.
Yahoo did not encrypt all of the security questions it had on file, making the data readable and accessible to hackers. So while Yahoo recommends that users change their passwords, it is certainly more of a challenge for a user to change a mother’s maiden name.
In July, Yahoo received a report that a hacker was offering 280 million user credentials for sale on the Dark Web.
Upon conducting its own detailed and separate investigation, Yahoo discovered evidence of an even larger breach. An infamous hacker named “Peace” was responsible for the Yahoo hack and was selling the credentials of over half a billion Yahoo users on the Dark Web for just over $1,800. This is the same hacker who previously sold data stolen from LinkedIn and MySpace. Data for sale included user names, birthdates, phone numbers, email addresses and security questions.
The Yahoo hack also raises an issue with the practice of “security questions”, which is a common method of allowing users to reset passwords by providing information about their first school or mother’s maiden name. It appears that Yahoo did not encrypt all of the security questions it had on file, making the data readable and accessible to hackers. So while Yahoo recommends that users change their password (not only for their Yahoo accounts but anywhere else that password might be used), it is certainly more of a challenge for a user to change a mother’s maiden name.
In a statement released Thursday, Yahoo confirmed the data breach, announcing that the personal data from 500 million users was indeed stolen in the Yahoo hack dating back to 2014.
Security experts believe that Yahoo might have been relying on older, perimeter defenses. With this type of setup, once a hacker gains entry to a corporate network, they are in a position to do untold damage.
Why the delay?
The fact that Yahoo learned about the massive data breach in July and did not announce it until the end of September is typical. It often takes weeks, or more, for forensics experts and government agencies to examine computer logs and databases of internet traffic for evidence of computers communicating with known bad actors.
What is not typical is the size of the Yahoo hack. Often initial intrusions go unnoticed, but not spotting a leak of this magnitude, one that impacts half a billion profiles, is a major failure.
Some security experts think Yahoo might have been relying on older, perimeter defenses. With this type of setup, once a hacker gains entry to a corporate network, they are in a position to do untold damage.
Currently, perimeter network and data security operate like a medieval castle. Imagine the network perimeter is secured by strong walls and ringed by a moat. Once the fortifications (Firewall, Anti-virus, Spam Filter, etc.) are breached the invaders have access to all the spoils inside.
In the past, these defenses provided adequate protection against cyber attack. However, as hackers have become more sophisticated, this security technology has been well-and-truly left behind.
So, the hard truth is the data within an organization’s walls is no longer safe from determined hackers under the castle model. In addition, since current technology is based on perimeter defense and keeping uninvited visitors out, data breaches occurring inside an organization, due to human error or malicious employee activity, are not addressed at any level.
In order to prevent events like the Yahoo hack, organizations must implement new ways of securing their data going forward. This can be achieved by securing the data itself. Instead of building thicker walls and a deeper moat, organizations must view each piece of data as separate and valuable in itself, and then protect it accordingly.
By securing and encrypting data at the data level organizations can secure and control their data no mater where it is, even if it travels across domain boundaries.
Analysts estimate the Yahoo hack could take $100 million to $200 million off the closing price of its deal with Verizon.
What does this mean for Yahoo’s multi-billion dollar merger?
Yahoo’s announcement of such a large-scale attack comes at an especially important time, as CEO Marissa Mayer hopes to close the organization’s $4.8 billion acquisition by Verizon in early 2017.
A breach of this magnitude could bring worry to the new owners with shareholders fretting that it could lead to an adjustment in price of the transaction.
“We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” wrote Verizon in a statement. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”
In an interview with Independent, Robert Peck, an analyst with SunTrust, estimates the breach could take $100 million to $200 million off the closing price of the deal. It is possible that Verizon could claim a material breach for the data hack, arguing that this attack has caused irreparable harm to Yahoo, both in terms of customer trust and usage.
While the deal is still appears to be moving forward, it must still be approved by a number of regulatory agencies along with Yahoo shareholders.
To learn more about how Mice 360 can protect your organization against hackers, contact us today.