Yahacked!: Biggest hack in history
One of the original Internet darlings, Yahoo, has had a rough decade. After many stalled buyout attempts and further devaluations thanks to lackluster IPs like Tumblr, Yahoo has finally regained stability as part of a $4.8 billion purchase by Verizon…until now. Of what is believed to be the largest breach in history, Yahoo has now confirmed that at least 500 million user accounts have been compromised since 2014. So who’s behind it?
“The Russians Did It.”
Security experts initially suspected the involvement of nation-state actors initially originating out of Russia. In a security notice, Yahoo initially published: “We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
But the evidence for a Russian sponsored hack has not be substantiated publicly as of yet. What is known, is the time passages between Yahoo’s discovery of said hack and their public disclosure to their customers.
“Aside from the sheer scale of this breach which impacts half a billion users, what consumers need to be most concerned about is how long it took Yahoo to either discover or disclose this breach,” Usman Choudhary, chief product officer at ThreatTrack Security, wrote in an e-mail. “For nearly two years their data has been exposed, and it has been putting them at risk.”
Yahoo is working closely with law enforcement but as you might recall, so was JP Morgan back in 2015 until the FBI filed charges against them for an insider ‘pump and dump’ scheme leading to the arrest of 4 cyber thieves. That hack was initially tied to Russian gangs and government sponsored hacks but Russia appears to have been JP Morgan’s scape coat and now some are making similar claims about Yahoo.
Speculation over the origin of the hacks will continue to be investigated but right now, many are pointing to the impending Verizon purchase of Yahoo as a contributing factor. Aside from their news and fantasy sports IP, Yahoo’s brand is one of the few things they have left intact. Unfortunately, they has not been fully upfront in sharing the details of the breach and left their large customer base in the dark. This can have devastating consequences to their brand value as I recently covered in my Huffington Post piece, Brand Hacking: The Sting of a Cyber-breach.
Security experts say the breach could bring about class-action lawsuits, in addition to other costs. An annual report by the Ponemon Institute found that costs to remediate a data breach is $221 per stolen record. Added up, that would top Yahoo’s $4.8 billion sale price.
So why did Yahoo take so long to disclose a hack it knew about back in 2014? It’s common for investigations of these sizes to take weeks or months before investigators go public with any information but the sheer size of this hack and implications cannot be overstated. It affects all of us, including those of us that have never used Yahoo services. So where does that leave us?
It might take Yahoo and the feds months to sort through this mess but that doesn’t mean we cannot secure our own accounts right now. Yahoo has posted their own security notice with instructions but here are some basic cybersecurity tips that go beyond simple damage control:
- Change your password to longer, stronger and unique NOW. Weak passwords and password reuse are the biggest problems we all face in cybersecurity. It’s the reason I wrote a book about it. And if you’re looking for a password manager, I recommend Dashlane.
- Update your security challenge questions and answers. Never answer questions like “What high school did you attend?” or “What street did you grow up on?” honestly. Answers to these questions are practically public knowledge thanks to the Internet and social media.
- Turn on two-factor authentication. This additional security step keeps you safe and you do not need to memorize a password. (and it is free)
- Be suspicious of any emails prompting you to change your Yahoo password. Never click on a link in an email. Visit their site directly by typing the URL into your browser.