What does the Yahoo breach teach us?


Most persons active on internet for the last decade or two have a Yahoo email account. While many amongst us may have graduated to Gmail, some retain Yahoo as their primary email account and quite a few have it as their secondary account. Recently, Yahoo announced that 500 million user accounts had been compromised. The large number of records means that 10% of internet users’ email accounts have been affected. The data includes users' names, email addresses, telephone numbers, dates of birth and encrypted passwords. Yahoo claims that this was supposedly done by a nation state actor and the breach had been done way back in 2014. What implications does it have for individual users and what lessons can be learned from this ?

What is the effect?

The most alarming thing about the breach was that two years had passed since the breach and it took so much time for them to detect it, go public and announce it. Yahoo has conveniently deflected the blame from its security failure by claiming it to be done by a nation state actor without naming the country. More alarming is that still many users are not aware of it. Being an InfoSec professional I came to know about the breach first day it was announced and took the necessary precautions for my account. After a week I asked my friends and family who were using Yahoo for their email if they knew anything about the breach and had they done anything about it. Unfortunately none of them were aware of it and had not even taken the basic precautions of changing their password and activating two factor authentication. What does it say about individual’s information security? This frightening state indicates that unless Yahoo takes some drastic action such as locking out their accounts, attackers will have a field day targeting individual users and their other online accounts. This problem is further compounded if users have shared these passwords on other accounts as most people do.

What can Individuals do?
  •          Learn and use Multifactor authentication. Multifactor authentication means using more than one method to authenticate by using another factor such as a mobile OTP along with a password.  This should not be difficult as we do use a mobile or email OTP for confirming banking or credit card transactions. This alerts and prevents logging in from new devices or locations. Use it to ensure that your account cannot be accessed from other devices without your permission read mobile OTP. It is not fool proof but not safer. Ironically, Yahoo itself provides Account key service which uses your smartphone to authenticate you.  All key online services such as Google, Facebook, LinkedIn, Twitter and a lot more provide multifactor authentication.
  •         Do not share passwords for multiple accounts – Simply because one breach should not lead to other accounts being compromised. Unfortunately this is common practice due to a large number of online accounts.
  •        Use a password manager. – Use one such LastPass, 1 Password or Dashlane to make it easier to manage passwords. Also it helps to have stronger passwords, keep unique passwords for all accounts and removes the need to remember passwords.
  •        Do not trust organisations to safeguard your security. – Organisations can keep your personal data such as name, address and phone number encrypted but do not do so as it directly affects their advertising revenue model. It is easier to access and use unencrypted text.  Another aspect users have to keep in mind is that even large organisations with large security budgets and best security experts can get affected. Hacks on Sony, MySpace , LinkediN and now Yahoo have proven this fact. Therefore, do not give organisations more information than is needed.


Remember your security is your responsibility.  Don’t leave it to someone else 

Comments

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more