Yahoo announced yesterday that they have discovered a previously undetected data breach of “certain Yahoo user accounts.” The discovery was made after Yahoo officials and outside forensic experts investigated data that was provided by law enforcement. The data breach affects over one billion user accounts, which makes it the largest breach in history. Here's what Yahoo believes was compromised:
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.
The official Yahoo statement by Bob Lord, CISO, states that the breach took place in August of 2013 and was probably perpetrated by the same state-sponsored actor that was responsible for the Yahoo breach in 2014. That breach was disclosed just three months ago, and it affected at least 500 million accounts.
Slawek Ligier, VP Security Engineering, spoke with Bay Area NBC News about the most recent disclosure yesterday.
Here are some important takeaways from this incident:
Regarding the Yahoo breach specifically, review all of your online accounts to make sure you are not using the same credentials, including security questions, that may have been compromised here. Do not re-use anything that may have been stolen. These attackers will look for your information on other websites, so be sure that you have changed your passwords.
Use two factor authentication (2FA) whenever possible, as an extra layer of security to your accounts. Generally speaking, 2FA will require a second piece of information in order to access an account. This could be a code that is sent to an email account or to your mobile phone via SMS, or it could be something that you enter on a special device. Regardless, it restricts someone from accessing your accounts if they only have the user name and password to work with.
Yahoo also recommends that users take the following steps:
- Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account;
- Review all of your accounts for suspicious activity;
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
- Avoid clicking on links or downloading attachments from suspicious emails; and
- Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.
Security at Barracuda,
on why SMBs need to deploy
enterprise level security
Slawek also advises that small businesses should be especially vigilant now. These attacks will continue and will accelerate. Conducting this type of attack is an easy way for a criminal to make money, and there is low risk to a criminal operating out of a foreign country. Small businesses are becoming more connected as they embrace the public cloud, deploy IoT devices like cameras or smart infrastructure devices, and launch mobile apps for their customers.
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list of known commonly-used, expected, and/or compromised values. For example, the list MAY include (but is not limited to):
- Passwords obtained from previous breach corpuses
- Dictionary words
- Context specific words, such as the name of the service, the username, and derivates thereof
Verifiers SHOULD NOT impose other composition rules (mixtures of different character types, for example) on memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) unless there is evidence of compromise of the authenticator or a subscriber requests a change.
These attacks will keep coming, and they will sometimes come long before you discover them, if you discover them at all. There's no need to shy away from using online accounts to help yourself or your business, as long as you are willing to employ best practices in keeping yourself safe.