Yahoo on Thursday disclosed that a massive data breach by a “state-sponsored actor” impacted approximately 500 million users. According to the beleaguered Internet company, which is selling its Web assets to Verizon Communications for $4.83 billion, attackers made off with user names, email addresses, telephone numbers, dates of birth and hashed passwords. In some cases, security questions and answers were also taken, Yahoo said.
Rumors of a huge Yahoo data breach emerged in August after a hacker began selling what was supposedly data stolen from 200 million Yahoo user accounts on the dark market.
While Yahoo’s core business focuses on consumers, the breach has implications for enterprise security. Here’s why information security professionals should care about today’s news.
People tend to have a few passwords that they use to access different Web services. So the password Paul in accounting uses to access his Yahoo email account could be the same credentials he uses to login to the company network and his work email account. This point isn’t missed by hackers, who could use social media to find out where the Yahoo breach victims work and use the pilfered Yahoo credentials to attempt to login to the person’s work account.
People also reuse security questions and answers, including on corporate sites. Even though changing both passwords and security questions and answers is time consuming, Yahoo users should take this step, especially if they used their Yahoo passwords to access other Web services.
Armed with a person’s telephone number, email address and security questions and answers, hackers could craft some very personal phishing emails. Let’s face it: the more customized a phishing email is, the more likely an employee is to open it and click on the attachment or the URL.
Gone are the days when phishing emails were from a Nigerian prince who wrote in broken English that he wanted to share his fortune with you for a small price. Today’s phishing emails are more likely to be from a supposed colleague from another office who needs you to review an invoice. The personal details exposed in the Yahoo attack could help hackers create phishing emails that look very legitimate to even the most security-savvy employee.
Yahoo claimed that user information was stolen from its network in late 2014. This provides hackers with ample time to potentially set up mechanisms that allow them to remain persistent, evade detection and eventually hack Yahoo again. Many times campaigns contain components that are designed to trick security professionals into believing that a threat has been fully remediated. In reality, only a portion of the attack has been discovered and resolved.
Companies that have suffered a data breach need to ensure that they’ve completely remediated a threat and not just one component of a larger, more complex operation. Failing to eradicate the entire threat increases the likelihood that your company will get hacked again.
Verizon is in the process of purchasing Yahoo’s Web assets. There’s the possibility that Thursday’s news could impact the sale. For example, over the long term, the breach could harm Yahoo’s stock price or force the company to contend with a costly class-action lawsuit waged by impacted users. Verizon may attempt to pay less for Yahoo or use the breach to its benefit in the negotiation process.
The bigger point is that security incidents have a ripple effect that goes beyond the immediate fallout and damage that accompanies a breach. The greater impact of this breach may not be seen for months or years.
Yahoo alleged that a nation-state carried out the breach, an interesting claim considering that Yahoo user information has been for sale on the underground Web marketplace The Real Deal since at least August. Why would a nation-state sell this information online instead of using it for its benefit? And that raises the question why a nation-state would even want this data? Yahoo user account details aren’t state secrets or intellectual property that could give a country a political or economic advantage. So far, Yahoo hasn't said what country is behind the attack or explained how the breach was carried out.
Attack attribution is always challenging to pull off. Hackers use many methods that can make it appear that another entity is behind the attack. Instead of focusing on who’s behind an attack, information security professionals are better off shoring their organization’s defenses to prevent future attacks.