Yahoo hack: what your business needs to know - and why you shouldn't panic
The Yahoo hack is frightening, but the worst of the attacks are likely already over
Don't panic: if the Yahoo hack was going to be used against you by criminals, they'd likely already have done it.
That advice from security experts and analysts may be cold comfort, but businesses need not spend the weekend worrying about the fallout from the leak of 500 million credentials - though there are some steps they should take.
The hack happened in 2014, Yahoo confirmed yesterday, and is likely a state-sponsored attack rather than straight-up cyber criminals, targeting names, email addresses, phone numbers, dates of birth, security answers, and hashed passwords.
IHS analyst Daniel Knapp told IT Prothat though the attack is serious, the timings involved mean the worst of the damage is already done. "The breach was revealed yesterday but it already happened in 2014," he said. "If that's the case, that [any use of the data] will long have happened."
"If companies have not experienced something significant out of this breach so far, they likely will not now," he said. "However, it is recommendable for businesses to go back and investigate whether IT and security problems they had in the past might stem from the breach If you had had any problems, it might be wise, in light of this data breach, to reevaluate those problems."
The standard advice after such hacks is always to refresh your password, and while that's not a bad start, hopefully you've already done so in the intervening two years. "Any Yahoo customers would be prudent to change their passwords - although, given the fact that the breach occurred two years ago, it is a bit like closing the stable door after the horse has not only bolted but long since died of old age," noted Alex Mathews, EMEA technical manager at security firm Positive Technologies.
Confusion remains over whether this attack was related to the summer dump of 200,000 account details. Yahoo said that this attack was by a state-sponsored hacker, suggesting this incident may not be connected to the other, claimed by a cybercriminal known as Peace. If it was more of the same from Peace, that's further reason to breathe a little easier (though Peace may simply be a collater of stolen data, rather than the hacker responsible).
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"That data was made available on the darknet for $2,600 dollars which isn't very much and signals the low value of the data set," Knapp said. "The price point on the open market is an indication of what you can do with the data set." And that's good news, as it suggests the data isn't seen as very useful to criminals, but again it's not clear if the two attacks are connected.
Either way, despite the age of the attack, businesses and their IT departments still have a few points to add to their to-do lists in the wake of Yahoo's admission."Businesses have to be careful and concerned, and whenever you entrust your smaller business to a large platform, and don't manage your IT and email yourself, that is a risk you have to deal with," Knapp said.
Threats to your business
Yahoo may have slipped from relevancy in recent years, but you shouldn't assume your staff don't have an account. Skyhigh Networks' stats from its 23 million enterprise end users revealed eight out of ten companies had users signed up to Flickr and Tumblr, both owned by Yahoo, while seven out of ten have users still on Yahoo Mail.
And that means the hack is problematic if users shared passwords or other login credentials across sites - including to access business accounts. And from what we know about users, odds are some have done just that, and personal security questions offer an additional risk.
"Passwords can be changed but factual answers to security questions (such as mother's maiden name) can't be," explained Nicola Fulford, head of data protection at law firm Kemp Little. "Knowledge of security answers could give hackers full access to email and other accounts, which contain details of a whole host of sensitive information about finances, health, family and career."
She added: "This information would enable anyone with access to build a detailed picture of someone's life and enable ID theft."
Such a massive leak of data can also make it easier for criminals to target phishing attacks at company staff. "The Yahoo security breach has leaked enough details to leave users open to sophisticated phishing attacks," said Wieland Alge, vice president for EMEA at Barracuda Networks. "The danger with a data breach of this scale is that at least some users will believe phishing emails are genuine, thereby opening the door to attackers."
With all that in mind, businesses and IT departments would be wise to ask users to change passwords or other login details that may have also been used on Yahoo sites, and to remind staff about phishing attacks, warning them not to open unexpected attachments and to be careful when following links in emails - particularly if they purport to come from Yahoo, which will (hopefully) ask users to head to the site to login rather than offer a direct link.
If you've been considering rolling out two-factor authentication at your business, or any other extra layer of protection above and beyond passwords, now might be a good time to ask for budget. "Smart organisations are already moving to stronger methods of user authentication, including adaptive access control techniques and multi-factor authentication as a way of safeguarding credentials," said Jeff Kukowski, COO SecureAuth.
"It is imperative that more organisations take this lead and look to implement adaptive access in a way that, in addition to the credentials, performs risk-analysis as part of the authentication process. This helps render stolen credentials completely worthless across the breached site."
For Yahoo users themselves, the company offers its own extra authentication tool, called Yahoo Account Key that removes the need for a password at all.
Should it have been reported sooner?
It's unclear exactly when Yahoo became aware of the hack, though reports suggest it may have been a month ago. Kemp Little's Fulford pointed out that under new GDPR laws, such breaches will have to be "reported without undue delay and at least within 72 hours of becoming aware", under threat of a fine of as much as 4% of global turnover.
Existing UK laws mean data watchdog the Information Commissioner's Office may not be best pleased with the late notification. "The current ICO criteria for expecting a data breach to be reported to them considers the sensitivity of the data and the volume of data - the Yahoo breach ticks both boxes," she added.
Information Commissioner Elizabeth Denham said in a statement that the ICO is looking into the incident. "The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today," she said. "We don't yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People's personal information must be securely protected under lock and key and that key must be impossible for hackers to find."
What about Verizon?
The hack comes as Verizon is closing its deal to buy Yahoo's core businesses for $4.8 billion, raising questions of whether the hack's admission will affect the acquisition.
"We don't expect this to affect this Verizon deal," Knapp said, suggesting Verizon may have known about it when it made the acquisition.
But the Financial Times cited SunTrust analysts as saying between three million and 25 million of Yahoo's billion users could ditch the site over the hack, saying that suggests Verizon should push for a "discount" of $150 million on the deal.
If Verizon does follow through on the deal as expected, Knapp predicted it will have to work hard to keep the "stigma" from affecting its own business. "The stigma that remains through this deal, Verizon needs to act very hard to try to distance itself from the deal to prevent any association with the Verizon brand," he said. "We would expect Verizon to become more proactive in the security game," he added, rolling out new measures, making public statements, and perhaps even buying a security company to "highlight that it's actually doing something".
That said, he added: "We expect them to be public tokens, and not measures that really change how things go at Verizon."
Either way, the situation is a good test case for how a breach can affect a company's fortunes. "This will be an acid test for valuing the impact of an incident like this at a time when risk experts, lawyers, accountants and M&A specialists are engaged and scrutinising every detail with their pencil sharpeners out," said John Madeline, CEO at RelianceACSN, in a statement.
As Knapp noted, the backlash may not be significant, as we've become accustomed to such security breaches. "We live in an age of leaks and there's a bit of data-leak fatigue in public minds," he said. "We have to see how the public really reacts to that, and if a data breach of 500m addresses affords a big enough outrage."