Yahoo Hack Affects 1 Billion Accounts

Uploaded on 2016-12-20 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Security researchers are disturbed that it took Yahoo three years to discover that details on more than 1 billion user accounts had been stolen in 2013.

The breach suggests that someone, possibly a state-sponsored actor, had access to one of the largest email user bases in the world, without anyone knowing. The stolen database may have even included information on emails of US government and military employees.

This incident is distinct from the breach of 500 million accounts the company disclosed on September 22, 2016. Yahoo said in its announcement that how the breach was accomplished is not yet known, and that the company is working with law enforcement to investigate. 

This incident is regarded as being the largest breach on record, in terms of the number of individuals affected. 

People might suppose the breach is unlikely to affect them because the attack happened three years ago and there was no widely reported abuse of the data in the meantime. However, hackers might have targeted users' emails.

Yahoo has also said it is investigating a later, separate issue that might have made some accounts accessible without passwords. "Your email account is the central hub of your entire online existence, if they own that they can ask for password resets on other accounts you have online as well," explains Mr Cluley. Plus, anyone using their account for work purposes, such as sending professional documents back and forth in attachments, could in theory become a target of industrial espionage.

Even if accounts could only be accessed with passwords, the way they were encrypted is less secure than more modern techniques, according to Mr Cluley.

He adds that it is possible the data, including names, telephone numbers and dates of birth, will - or already has - become available to buyers on the dark net, although so far there has been no evidence of this.

Security expert and writer Brian Krebs said in a blog, "For years I have been urging friends and family to migrate off of Yahoo email, mainly because the company appeared to fall far behind its peers in blocking spam and other email-based attacks."

Yahoo has reassured its users: "We continuously enhance our safeguards and systems that detect and prevent unauthorised access to user account."

Some may not think of themselves as Yahoo users but the firm provides some BT and Sky customers' email accounts. "We are urgently investigating this with them," BT said in an online statement, in which it also advised those who had a BT Yahoo email account in August 2013 to reset their password.

Sky said it was advising Sky.com email account users to change their passwords and security question answers. It's also worth remembering that Yahoo acquired Flickr in 2005. Yahoo has said, though, that accounts for Tumblr - which it also owns - would not have been affected.

What should you do?

"Don't just change your Yahoo password," says Mr Cluley. That is the place to start, but once this password is changed, he also recommends changing your password on all other accounts you use and making sure that you use a different one for each.

Security question answers such as "what is your mother's maiden name?" should also be altered. It sounds like a lot of bother, but security experts are increasingly recommending that people use a simple password manager program such as Password Chef, LastPass or 1password.

Two-factor authentication allows users to verify logging in via, for example, entering a separate code sent to their mobile phone.

But the idea that online security stops with password management is outdated, says security expert Prof Alan Woodward at the University of Surrey.

"We're past that now," he says, adding that security professionals tend to enter fake information about themselves to online forms unless they can avoid it. "I'm like the Queen, I have two birthdays - my online birthday and my real birthday," explains Prof Woodward. "Do I give my real address? No - only for financial purposes like billing."

Yahoo accounts do allow users to see recent activity - for example, which computers were used to log in and where in the world they were located. Users can check this for any suspicious behaviour.

If users do want to move away from Yahoo after recent breaches, news site The Parallax recently wrote advice on how to do this.

The deal for mobile giant Verzon to acquire Yahoo for $4.8 billion continues to progress.

BBC:         CyberWire:          ComputerWorld:    More Questions About The Yahoo Breach:


 

« Obama Orders ‘Deep Dive’ Into Election Hacking
Destructive Cyber Attack On Saudi Kingdom »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Deep Identity

Deep Identity

Deep Identity is a boutique system integrator, with expertise in tailored identity governance & administration (IGA) and identity access management (IAM) solutions.

CIRT.GY

CIRT.GY

CIRT-GY is the national Computer Incident Response Team for Guyana.

IT2Trust

IT2Trust

IT2Trust is one of Scandinavia’s leading value-added distributors of business-critical IT solutions within IT security and networking.

NuData Security

NuData Security

NuData Security, A Mastercard Company, is an award winning behavioral biometrics company.

NetKnights

NetKnights

NetKnights is an independent IT security company which offers services and products for strong authentication, identity management and encryption.

National Digital Exploitation Centre (NDEC) - United Kingdom

National Digital Exploitation Centre (NDEC) - United Kingdom

NDEC is a project to create a centre of cyber and digital development and education for the UK. It will offer training in digital practices, cyber security and research.

SMESEC

SMESEC

SMESEC is a lightweight Cybersecurity framework for protecting small and medium-sized enterprises (SME) against Cyber threats.

InterVision

InterVision

InterVision is a leading Strategic Services Provider, assisting businesses in driving value and gaining a competitive edge by helping IT Leaders solve the most crucial challenges they face.

Qasky

Qasky

Anhui Qasky Quantum Technology Co. Ltd. (Qasky) is a new high-tech enterprise engaged in quantum information technology industrialization in China.

Cympire

Cympire

Cympire significantly increases an organisation’s Cyber Resilience through continuous Training and Assessment. Cyber Security Training Platform. Cloud-based and fully customizable Cyber Range.

Query.ai

Query.ai

At Query.AI, we are committed to helping companies unlock the power of their security data, so they are empowered to meet security investigation and response goals while simultaneously reducing costs.

Redpoint Security

Redpoint Security

Redpoint Security is an application security consulting firm that is focused on all aspects of code security.

Mailinblack

Mailinblack

Mailinblack protects your organisation against email threats with an innovative solution that meets your security requirements.

Vircom

Vircom

With a large majority of cyber attacks starting with email, Vircom provides protection against the worst email security threats to your business.

SecurityLoophole

SecurityLoophole

SecurityLoophole is an independent cyber security news platform with global coverage. Latest updates, reports, news and events related to cyber security.

Panoplia Digital Protection

Panoplia Digital Protection

Panoplia Digital Protection is a cutting-edge cybersecurity company that leverages the power of AI and ML to help businesses and consumers protect themselves against cyber threats.