Yahoo hack: Tech industry responds

Yahoo has discovered an even larger breach whilst investigating another. Here's what the tech industry makes of the farce

Yahoo has discovered that it was the victim of an even larger hack whilst investigating a separate security breach from 2014 in which 500 million user accounts were put at risk.

One billion user accounts are apparently at risk in this newly-uncovered breach, making it potentially the largest security breach in history. Incredibly, this breach has taken three years to come to light.

Technology commentators are aghast at the news. Here's what they had to say.

Richard Parris, CEO, Intercede

"Three years! How has it taken experts three whole years to discover the largest known data breach in history? If I were a Yahoo customer I would be demanding answers. If I were Verizon, I would have serious concerns over the proposed acquisition.

"Yahoo has advised customers to change their passwords, but it's just too little, too late. How many other accounts have since been breached as a result of this legacy hack? It's more than likely that cybercriminals have been using credential stuffing methods, with the stolen username and password data, to commit identity theft for the last three years.

"Companies have a responsibility to protect their customers' data from malicious hackers. How many large scale breaches of this kind will it take before the industry shuns the damned username and password once and for all?

"More secure methods of authentication have long existed - all it takes is a willingness from companies to implement these. And what's more, some of the most secure methods today are more convenient to the end user than having to remember a long and complicated password."

Brian Laing, VP at malware detection firm Lastline

"The damage inflicted upon a big business from a well-orchestrated attack can exact costs for decades to come. These costs can range from the hard dollar costs of litigation, paying ransoms, investigations and infrastructure replacement to the soft-but-real losses of escalating customer churn and brand value decline.

"Companies too often fail to account for the magnitude of potential losses when resourcing preventative measures. Perhaps a Yahoo - Verizon deal adjustment may stand as a sober reminder how important it is to get a state-of-art cyber defence strategy in place."

Andrew Bushby, UK director of Fidelis Cybersecurity

"The fact that a huge breach with personally identifiable data - including unencrypted security questions and answers - from one billion user accounts can go undiscovered for more than three years shows one thing; companies worldwide need to be reconsidering their security posture. It's becoming increasingly clear that no company is immune from attack and as more companies are breached, more data will be up for sale in the public domain, making further attacks more likely - in essence, this means that preventative security solutions are no longer enough.

"As consumers, we're being told time and time again how valuable our data is and the potential it has for companies to deliver us bespoke services. But if data is indeed so valuable, companies can't continue to fail to protect it with the appropriate security precautions and threat detection strategies. It's important to note that this larger breach was discovered during an investigation of the one disclosed in September, showing just how important it is to continually monitor and analyse a corporate network for potential threats.

"What's more, companies need to get smart in how they analyse potential security incidents. Using metadata - which can provide a type of index that makes data searchable yet protected - for example, can mean that security teams are much more effective at identifying real threats and data exfiltration early.

"Critically, in the case of Yahoo, it shouldn't have taken the revelations and investigation of another breach to notice that the data of one billion accounts was making its way outside corporate control."

Matt Middleton-Leal, Regional Director UK, Ireland and Northern Europe, CyberArk

"While the inquest into this latest attack on Yahoo is only just beginning, there are some worrying details in the reports. Once again, we have an organisation that was oblivious to a major breach until a third party flagged it years later. The exfiltration of data on this scale should have set off alarms, and the only way this would have not been spotted would be if valid login credentials were used to access it.

"If this was the work of a rogue insider or an external hacker, it is highly likely they would have attempted to cover their tracks, using a credential which authorised them to delete or amend security logs - effectively hiding their digital crime forever. With Yahoo unable to explain how the breach occurred, this points towards inadequate security log data to track malicious activity."

[Turn to next page]

Yahoo hack: Tech industry responds

Yahoo has discovered an even larger breach whilst investigating another. Here's what the tech industry makes of the farce

Andrew Alston, UK director at Covata

"This is one of the most audacious hacks of all time, not just because of its incredible size - affecting around one billion accounts - but because it happened way back in August 2013, and has only just been detected.

"Yahoo is pointing the finger of blame at unnamed ‘state sponsored actors.' Whoever they were, they clearly had the hacking skills to match their ambitions. It's a stark reminder to all organisations that today's cybercriminals are ultra-organised and often multiple steps ahead of their targets.

"Anyone who has a Yahoo account - even if they no longer use it - needs to be extra vigilant following this news. While Yahoo has been quick to point out that the passwords accessed in this incident were hashed, the algorithm used - MD5 - doesn't deliver the levels of security offered by adopting more advanced encryption technology that secures data in individual pieces rather than in large sets. Simply put, MD5 just isn't up to the task.

"Yahoo admits that user security questions and answers have also been stolen, and that not all of this information was encrypted. This means hackers could conceivably know all the answers to the standard questions that so many online businesses - not just Yahoo - use to verify user identities. If they know information such as your mother's maiden name, the name of your first pet or your primary school, they can now use this information to access online accounts and potentially reset passwords.

"This is a bad day for Yahoo, especially considering that the news of this hack comes hot on the heels of a similar incident. However, it's also bad news for all those Yahoo users - both past and present - who need to immediately change the passwords and security questions for any other accounts using the same or similar information to that compromised in this attack."

Graeme Stewart, Managing Director of LogPoint UK & Ireland

"Proper, grown-up security requires us to assume that bad things will happen and employees will make mistakes because, in all honesty, they often have a million and one other things to think about in their job roles over and above security. The correct approach for businesses to take to prevent themselves becoming the ‘next Yahoo' is one of the judicious use of security technology. Businesses may think they've taken this route by throwing copious amounts of money at a security vendor, but it's about much more than that."

"Businesses must be educated to utilise security technology sensibly - security in the second decade of the 21st century requires intelligence and context, for example, an understanding of an organisation's environment. Companies generate huge amounts of valuable data, so it's of no surprise that hackers are trying to obtain this. The question IT departments and security professionals should be asking themselves is: how can we use this data to better protect ourselves?"

Justin Fier, Director of Cyber Intelligence and Analysis at Darktrace

"Time and time again, we have seen attacks of this scale plague the news. It is clear that companies have a huge visibility problem - they cannot see what is happening inside their own networks. New forms of attacks are inconspicuous, and can remain in a network for weeks, or even months, before sounding any alarms. Yahoo's latest breach yet again heralds the new era of ‘trust attacks' which aim to erode faith in the integrity of our data, and the institutions who host it. With over a billion accounts breached, cyber-criminals are undoubtedly succeeding in undermining consumer confidence in an organisation's ability to keep our information private. Companies need to ask themselves a crucial question: how do you stop the attacker already inside your network, before it escalates into a crisis?

"There will be mounting pressure for organisations to make themselves more resilient and adopt new forms of technology that can provide the visibility that they lack. These approaches are far more perceptive to intrusions and suspicious behaviour than the legacy tools that are still relied upon. While Yahoo is the focus of today's story, all companies are vulnerable to these types of advanced attacks. Using machine learning to implement an immune system model of security will play a critical role in providing real-time visibility, allowing organisations to keep up with threats in this heightened cyber climate."