A Yahoo security breach has affected more than 1 billion accounts. This is an almost inconceivable security incident, easily surpassing the 500 million user breach Yahoo admitted to earlier this year.
So chances are you or at least some of your users have been victims of the attack. Here’s what you need to know.
1. It’s not just Yahoo
The first thing you need to know about this breach is even if your users don’t have or never have had a Yahoo account, their info could still be at risk.
Some other companies – AT&T, Verizon (for a time), BT and others all gave out email addresses using Yahoo’s systems. And there are many others, too. As security researcher Brian Krebs observes, “Your Yahoo account may not include the word ‘yahoo’ at all in the address.”
Users should be on the lookout for notifications that their accounts may have been jeopardized, even if they’ve never opened a Yahoo email address per se.
2. The guts of the problem
It’s important to know the kinds of things that this attack has potentially revealed. The information stolen may include:
- email addresses
- telephone numbers
- dates of birth
- security questions and answers, and
- hashed passwords.
While hashed passwords may not seem like such a big deal, the breach occurred in 2013, back when Yahoo was using a password hashing method that was woefully lacking.
So even though the passwords are encrypted, it wouldn’t take much effort for a hacker to decrypt them. Using brute-force methods (trying multiple guesses until the right one is arrived at), hackers could fairly easily gain access to an account.
Also of note: Revealing security questions and answers to attackers could allow them to craft better phishing emails or use these security questions to reset other services.
3. No password needed
Part of the revelation of this hack was the information that attackers were able to impersonate users without their knowledge or even their passwords.
They did so by crafting fraudulent “cookies,” or lines of code that make it appear as if a user has already logged into their account when visiting a page.
Details are sketchy on this, but it seems that a state-sponsored attack is to blame. Yahoo is apparently informing those who may have been affected by this attack.
4. Breaches will hurt the bottom line
Word is that Verizon, which is in talks to buy Yahoo, has significantly reduced its offer price following this breach notification. And given that the breach occurred three years ago and this is the first anyone has heard of it, that’s going to raise some serious questions of how much the company can be trusted and put the deal itself at risk.
The company’s stock price also dropped significantly following the announcement.
Moral: You can’t avoid damage from a breach by sweeping it under the rug and hoping no one ever finds out. In fact, that can make things much worse when the information does come to light.
Best bet: Have a strategy in place ahead of time (and perhaps cyberinsurance) so you can move on from a breach as quickly as possible instead of waiting to see if it all blows over.