Yesterday Yahoo confirmed that it was the target of the biggest known cyber attack in history. In 2014, 500m Yahoo accounts were compromised, with data including names, email addresses, telephone numbers, date of births, hashed passwords (most with bcrypt) and security question answers, some of which were unencrypted. Yahoo has claimed that this attack was carried out by a state-sponsored attacker.
I’ve done a few radio interviews giving my thoughts today, and you can listen to what I had to say on BBC Radio London.
Or watch a quick clip of me discussing the breach on Channel 4 News:
I’ve talked about the need for people to change their Yahoo password and set up two-factor authentication and to use strong, unique passwords on all of their accounts. This breach also highlights the need for people to deactivate accounts they no longer use.
— BBC Radio 5 live (@bbc5live) September 23, 2016
Some thoughts which I didn’t get chance to go into on the radio or TV:
- This is the biggest known cyber attack or data breach in terms of number of accounts compromised, and the impact on users could be significant. However, it’s interesting to consider how we classify the ‘biggest hack ever’. While this is the largest in terms of volume, is it the biggest in terms of impact? I’m thinking particularly of the Ashley Madison breach, following which at least one user reportedly committed suicide, and the US Office of Personnel Management breach, when information, including fingerprint data, of US government employees (some of whom of course have security clearance) was compromised.
- It also needs to be noted, of course, that this is the biggest known breach. When the Myspace breach of 360 million accounts came to light in May of this year, that was reported as the biggest breach only because we didn’t know about this one. Who knows what breaches have taken place that are simply not known?
- When Yahoo confirmed the breach yesterday, many people highlighted the fact that security researchers informed Yahoo in July that account information stolen in 2012 was seemingly being sold on the dark web. At the time, Yahoo responded by saying they were investigating. Many people understandably assumed that the breach Yahoo were confirming yesterday was the same data advertised for sale earlier this summer. Apparently this is not the case. It seems, rather, that when Yahoo investigated the purported 2012 breach they found no evidence to support that it was legitimate but the investigation found another breach, the 2014 one we’re now hearing about.
- Yahoo actually seem to be handling the breach communications pretty well, albeit belatedly. Many have expressed surprise that they are so confident that the attacker is a state-sponsored individual, not least because attribution in this space is so notoriously difficult. Putting that to one side, Yahoo have been prompting users to change their passwords and have put in place communications such as this FAQ, which are really helpful. It is a shame, however, that they aren’t using the opportunity to get more people using their two-step verification. My research suggests that only 20% of British people use 2FA, which is a real concern given how much more effective it is than simply having a password.
- The news of this breach comes as Yahoo is in the process of finalising the sale of its business to Verizon, an acquisition which began in July. It will be interesting to see if the breach has any impact on this.