When Yahoo Inc. on Thursday admitted that a “state-sponsored” hacker was able to abscond with 500 million user accounts, it was yet another reminder of how hard it can be to determine the root cause of an attack without the right training and tools, according to security experts.
According to Yahoo, the account information may have included names, email addresses, telephone numbers, dates of birth, and hashed passwords, making this IT hack one of the largest on record to date. Back in August, technology website Motherboard revealed that a user by the name of “Peace” claimed to have access to the user data of 200 million Yahoo users. “Peace” sought to sell this information for three bitcoin, or around $1,860, according to the site.
In a statement, the company noted that an ongoing investigation is in progress and that the stolen data did not include unprotected passwords, payment card data, or bank account information. Yahoo recommends users avoid clicking on links or downloading attachments, in addition to changing passwords and reviewing online accounts for suspicious activity. It also notes users who haven’t changed their passwords since 2014 do so.
For Canadian enterprise users — specifically those using the Yahoo email platform via Rogers Communications-based Internet services — there hasn’t been any reports of missing or stolen account information.
Toronto-based Rogers recently sent out the following prepared statement: “We take our customers’ privacy seriously and are in contact with Yahoo as they continue their investigation and determine next steps. We encourage people to regularly change their passwords and they can visit rogers.com for tips on how set a strong password.”
The fact Yahoo was breached isn’t surprising, noted Keatron Evans, senior security researcher for Chicago-based Blink Digital Security. “Every company large and small faces similar attacks, but this one is different because it is playing out in the public arena,” he added in an email.
A recent Ponemon Institute report noted that “time is money” when it comes to dealing with data breaches. The IBM-sponsored study also found the longer it takes to detect and contain a data breach, the more costly it becomes to resolve: breaches identified in less than 100 days cost companies an average of US$3.23 million, while hacks uncovered after the 100 day mark cost over US$1 million more on average (US$4.38 million).
It is too soon to tell if this news might affect telecommunications company Verizon’s announcement in July to acquire Yahoo’s digital operations for US$4.8 billion in a deal that was expected to close early next year.
“We understand that Yahoo is conducting an active investigation of this matter, but otherwise we have limited information and understanding of the impact,” the company said in a statement this week.
As this story unfolds, Evans noted it stands as a security cautionary tale for enterprises, one that they should learn from by being more proactive in developing post-breach remediation strategies to investigate breaches faster. Cybersecurity experts note that users should consider, as a best practice, crafting multiple passwords, one for each internet account.
“There are already appliances in the market that help to automate and speed up the forensics process, so no company of Yahoo’s size has the luxury of leaving customers hanging for months without adequate information or a plan for corrective action,” said Evans.
“Whether the target is enterprise or personal emails, the outcome is the same: trust is shattered and sensitive information can be exploited,” said Fiaaz Walji, the Canadian country manager for security firm Proofpoint.
The Toronto-based Walji told IT World Canada that the point in time when a Canadian organization needs to fully disclose that a data breach has occurred — and when — has often depended on the industry vertical. At any rate, all enterprises need to have a level of transparency and openness to the customers and clients they serve, however.
In terms of cybersecurity best practice, organizations should holistically be focused on three things — people, process and technology, Walji noted.
According to Jacob Ginsberg, senior director at Toronto-based email encryption software firm Echoworx, “good enough” doesn’t cut it when it comes to cybersecurity. “Data persists, so even if you’ve taken steps to protect that information, hackers may have the tools to negate these defences six months, one year or three years down the line,” Ginsberg said in an email. “If you do the bare minimum now, this won’t do you any good in six months’ time. Simple hashing of passwords isn’t enough – using strong encryption and salting passwords should be prerequisites for any organization handling account information.”