ANALYSIS: Hackers have stolen details of 500m Yahoo accounts. Here’s what you should do and what businesses should do next
Yahoo has confirmed hackers stole the personal information of at least 500 million users over the past two years following a data breach in 2014.
Speculation that a significant breach had taken place had been increasing in the past few months, but this is the first time Yahoo has acknowledged the severity of the incident and is now informing users about it.
What has happened?
“A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” said Bob Lors Yahoo’s CISO.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
The breach is one of the largest ever and the sheer volume of information stolen is of concern, say experts.
“Half a billion records of just emails would be impressive but half a billion names, email addresses, telephone numbers, birthdays, hashed passwords, and (the icing on the cake) ‘unencrypted security questions and answers’ is astounding,” said Tyler Moffat, senior threat research analyst at Webroot.
“On the bright side, no financial data was breached. And while no unencrypted passwords were stolen, the unencrypted security questions are basically the same thing. It’s good Yahoo! is resetting the questions, but it doesn’t change that they were compromised and that some were likely used for identity theft before Yahoo! disclosed the breach.”
Are you affected?
If you use Yahoo, probably. The company says it will be reaching out to potentially affected users and asking them to change their unencrypted security questions. Experts say you should not even wait to be notified and change your password immediately – and for any site for which you use the same credentials.
Some BT and Sky email customers will also be affected. BT now has its own mail platform but until 2013 was supplied by Yahoo Mail, and this is still used by a “minority” of customers. Sky still uses Yahoo and is also reaching out to its subscriber base.
And don’t forget, Yahoo has bought quite a few companies over the years. Flickr, Tumblr and other non-vowel adverse companies are also under its stable.
What should you do?
The response for consumers is simple: change your password immediately and any other service it is used for.
James Lyne, a researcher at Sophos recommends you use a different password for every site and this should be a combination of upper and lower case letters, symbols and numbers.
“Cyber criminals are very proficient at using such data to commit broader fraud, so the ramifications of such a breach can extend well beyond e-mail,” he said.
Of course this is a problem for businesses as well. According to figures from SkyHigh Networks, Flickr is the eighth most used consumer cloud service and the number of users at an average enterprise is 3,651. Tumbler ranks at No. 13 and has an average of 2,588 and Yahoo Mail at 14 with 1,753.
Credentials could be reused for company services and the data breach could see employees subject to phishing and other social engineering scams on a corporate network.
“In the wake of a breach like this, companies should have a well-oiled response plan,” said Rajiv Gupta, CEO of Skyhigh. “First, measure exposure to the breach by identifying how many employees use the cloud service. Then, take action to prevent immediate threats by prompting employees to change their passwords.
“Companies may consider temporarily blocking data uploads to the service to prevent further damage. The fallout of a data breach doesn’t end there, and neither should companies’ response. Employees frequently reuse passwords, and hackers can use stolen passwords to access other accounts.”
What can businesses learn?
The hack serves to show that Yahoo is just at risk from these attacks as any other business. The implications can be financial or reputational, but the key message from the cybersecurity industry (which unsurprisingly) is to invest in adequate measures and be as transparent as possible.
“What other businesses can learn from this is, where possible, being proactive with your user base; the users need to be kept in the loop,” said Mark James, a security specialist at ESET. “If there has been a breach then find out how, where and why. Ensure your systems are now clean if malware is involved, reset passwords, inform your users and keep them up-to-date.
“We all understand data breaches are a factor of modern day computing but the impact can be cushioned with the correct flow of information.”