number of security analysts have said Yahoo Inc.’s recent data breaches constitute yet another wake-up call to the security community, which is tasked with keeping our payments infrastructure safe from persistent and escalating attacks on the part of skilled criminals. In September 2016, Yahoo stated a security breach had occurred in 2014 that affected an estimated 500 million account holders. In December 2016, the company revealed an earlier event in 2013 had potentially affected 1 billion users. The breaches are said to be the largest ever recorded.
“As news of the new Yahoo! breach started pouring in, the first bit of information that really stood out is that the breach occurred in 2013, before the breach that was reported last September, which had taken place in 2014,” said Alex Vaystikh, Chief Technology Officer of advanced threat detection firm SecBI. “The severity of this incident cannot be overlooked. Not only was the intrusion itself not detected in 2013, but no signs of it were discovered during the investigation of the 2014 breach.”
Alex Knight, Director of Security Product Strategy at ControlScan Inc., added, “Yahoo’s reported oversights are shocking to the security community as well as the general public because the mistakes are just so fundamental. People are asking, ‘Why was Yahoo wandering around in the dark for so long?’ And they were. Reports suggest a failure in the basic vulnerability and threat-detection processes that enable a business to actively identify and address security holes before hackers can exploit them.”
Protecting cardholder data
Early reports indicated the 2013 attack occurred outside Yahoo’s cardholder data environment, making it unlikely that any credit card account numbers were stolen. “The investigation indicates that the stolen information did not include passwords in clear text, payment card data or bank account information,” Yahoo representatives stated. However, hackers had access to a treasure trove of personal account data, including names, physical and email addresses, phone numbers, date of birth, hashed passwords and security questions and answers.
Investigators familiar with the 2014 breach said hackers manufactured web cookies to pose as legitimate account holders, which enabled them to falsify login credentials and access accounts without using passwords.
Yahoo has recently tightened security in the aftermath of the episodes, invalidating unencrypted security questions and requiring users to reset their passwords. Security analysts said these measures are insufficient and that nothing short of a wholesale overhaul of Yahoo’s security infrastructure will protect the company and its account users from further criminal activities.
“An outdated security technique is in use or technologies have not been updated to the latest standards, and then they’re compromised when system access is gained,” Knight said. “Therefore, a formal vulnerability management program is essential, as are application development processes that make security best practices programmatic.” Vaystikh concurred, adding, “In too many organizations, threat detection still involves chasing after alerts and investigating them in a very limited way, detached from the bigger picture. Even when they chase down what they believe to be the threat, there is no indication of where and how long ago the incident actually began.”
Public, private repercussions
In addition to criticism for late disclosure of data breaches and lax security measures, Yahoo is facing several lawsuits and a congressional investigation. The impact of the data breaches may have also impacted the planned acquisition of Yahoo by Verizon Communications Inc. Financial analysts expect Verizon to renegotiate its former $4.8 billion bid for Yahoo’s assets.
“Litigation and other problems will stem from Yahoo’s data breach, and Verizon needs to assess the potential financial hit from those headaches and whether they hurt Yahoo’s already shaky financial results,” wrote Bloomberg Analysts Shira Ovide. “Odds are that Verizon will proceed with its Yahoo deal, but under the circumstances it is justified in seeking a [cyber-uncertainty] discount on the toy it plucked from the remainders bin.”
Verizon, a leading provider of managed security systems, has worked with the government and private sector on a range of security initiatives, routinely publishing its findings in a series of reports. The company’s 2016 Data Breach Investigations Report (DBIR) analyzed over 100,000 incidents that occurred in 2015, including 3,141 confirmed data breaches. The company’s IT specialists recommend implementing multilayered security schemes, including spam protection, list blocking, email header/attachment/URL analysis and reporting suspicious emails, to protect against phishing scams and other forms of malicious attacks. The DBIR advised companies to authenticate, segment and monitor all devices, apps and personnel connected to their networks.
While Yahoo reportedly has more than 1 billion users worldwide, the company has lost market share to competing Internet service providers. A growing chorus of experts believe the Yahoo breaches may have precipitated a tipping point in the security community. “The Yahoo breach is just one of a series of wake-up calls highlighting the growing threat we’ve all watched expand over the past several years,” Knight said.