Yahoo Hack: What This Means to the Enterprise
Yahoo reports a recent hack that took a lot of information from over 500 million Yahoo accounts. The question is: can users protect themselves from future attacks and will it affect the sale to Verizon/AOL?
I think you’d have to have been living in a cave if you didn’t see any online news stories or live TV news broadcasts about Yahoo announcing that 500 million (half a billion!) Yahoo accounts were hacked in late 2014.
This is one of the largest, if not THE largest, data hacks ever recorded. And, Yahoo says that it appears that the Yahoo Hack was state-sponsored attack (you can guess what this means). There are two key questions:
What effect will this have on the 500 million accounts? None? A lot?
My belief is that the accounts and their data will stay secure, providing users change their account password.
What can users do to prevent downstream damage from the Yahoo Hack?
This is harder to determine. If your account is secure, it’s unlikely that anyone will see a downstream problem; although the user may get a marketing solicitation or phone call from a marketing company that resulted from the perpetrators getting a lot of the user’s private information.
After the shock has worn off (“Holy Cow! Yahoo’s been hacked worse than anyone”), I’ve been advising everyone with a Yahoo Account to change their password. That certainly closes the front door, even if the back door may still be open… meaning that whomever hacked into the Yahoo network and systems could have left a secret back door open that allows them to get back in or, even more surreptitiously, has placed tokens inside the content of some of the user’s data or group data.
The Yahoo Hack took a lot of user account information including names, addresses, email address, dates of birth, telephone numbers and other information. In the minimum, the perpetrators could sell the information to telemarketing companies:
“Hi, we’re from Visitor Bureau of the Soviet Government, and we’d like to invite you to visit our new timeshare resort in Moscow?” (pause)
“Ah… How did you get my number?”
“Our Soviet Information Agency gets information from many places around the world, and they allow us to invite many people to visit Moscow. We have some times available in February. Would like to visit? We can even help with free airfare on one of our military jets.”
(Imagine being issued Soviet military winter parkas with hoods as you disembark in freezing cold, snow and wind to help put up with the 30-degree below zero weather. Brrrrr doesn’t cut it. More like frozen icicles on your face.)
“We’ll take a pass this time around, but thanks for calling.”
Clearly, the information could be used for more devious and problematic activities such as stealing money out of people’s bank accounts.
This hack reinforces the need for security diligence in users’ private and business lives. Security is essential to protecting personal and business information equally; and relying on service and application providers to protect information is not enough. Businesses must apply a layer of security protection as a safeguard as well. We recommend that:
- Yahoo users immediately change the password on their account to something that the user does not use on another web site or web account – especially business accounts. Make it a bit more complicated with a mixture of letters, numbers, lower case, upper case and special characters. You might have to write it down and keep it in a safe place. Certainly don’t leave it lying next to your computer. Change it every 90 days. These are the minimum recommended actions.
- To further protect yourself, change your password and initiate two-factor authentication. Yahoo will typically, send you a text message with a code that you enter before given access to your account.
- Change all security questions that are used to reinstate an account when a password is forgotten. Don’t just change the answers, change the questions being asked and choose those that can’t be discovered easily from a Google search.
- If you are an IT executive in a company, consider policy disallowing Yahoo access from company systems. The policy should be verified via remote access to ensure it is not violated, e.g. display a message stating access to Yahoo is not allowed on company-owned systems. Why? This is another layer of protection against phishing and malware attached that could be launched via a hacked Yahoo account.
- Block Yahoo in the company’s filter system so it is blocked before the employee can even see it.
I have already changed the password on my Yahoo account and recommend you do the same. And, if you are a member of a Yahoo Group, let the Group members know to change their passwords as well.
Yahoo and Verizon / AOL
Will the Yahoo Hack end up destroying the merger of Yahoo with Verizon/AOL? I doubt it will affect the final outcome, but it might affect the price. And, you can be sure that the AOL security team will scan the Yahoo environment for any signs of leftover hacker tokens.
For reference, here’s the full email I received from Yahoo: