Last month, email giant Yahoo announced the compromise of 500 million user accounts—which is being called the largest breach from a single site in history. The breach compromised names, email addresses, telephone numbers, dates of birth, passwords, and some encrypted or unencrypted security questions and answers.
Before discussing current questions that have arisen from this disclosure and some important takeaways from the Yahoo breach, consider this background information:
In 2012, Yahoo was breached via SQL injection attack, which compromised about 450,000 usernames and passwords.
Fast-forward to the summer of 2016, when murmurs surfaced from the dark web about a larger Yahoo breach that had potentially compromised as many as 100 million accounts. At this time, the assumption was that all the credentials weren’t disclosed in the 2012 breach or that there had been a subsequent hack within the same year that compromised even more accounts.
It turns out that the speculation on when the breach had happened was incorrect, but the rumors of a larger breach were true. Through a press release published on September 22, 2016, Yahoo confirmed that 500 million accounts were compromised in 2014—an attack that had gone unrecognized until mid-2016.
state-sponsored attack?Yahoo claims that a state-sponsored actor is believed to be responsible for the compromise. There has been some speculation that these claims aren’t well-founded and that the attack was perpetrated by a "cyber criminal gang." We will not comment on the veracity of either claim—but you can read more about the opinions of some from the InfoSec world in this InfoArmor report and this Data Breach Today article.
Yahoo is a very large company, and it maintains a lot of user account information. With its impending $4.8 billion sale to Verizon—and because Verizon is likely very interested in gaining Yahoo’s user and behavioral information through this acquisition—many people are interested in seeing whether the current valuation will be affected.
Mergers and acquisitions (M&A) are commonplace in the business world—but sadly, cybercrime is as well. According to a recent study, 78% of respondents said that cybersecurity is not analyzed or quantified in depth during the M&A due diligence process. If you are evaluating a new merger or acquisition, we strongly suggest that you do not neglect information security and perform security assessments as part of your diligence process.
Of course, not every company handles the same volume of information as Verizon, but the same general security practices apply across the spectrum. We don’t yet know how Yahoo was compromised in this attack, but it is possible that they fell victim to a common attack vector—for example, a phishing attack that compromised some employee user credentials (thus potentially allowing the hacker to acquire the database of sensitive information) or another SQL injection attack (the cause of the 2012 breach).
Ensuring that your databases are constructed in a way that help you avoid SQL injection vulnerabilities and that your employees are cognisant of potential phishing schemes are both important to your cybersecurity posture.
Yahoo was very late to the game in terms of catching and trying to remedy this breach, and news of the breach could have serious consequences during their acquisition from Verizon. While this lends a great deal of credence to the idea of continuously monitoring your own ecosystem, it’s equally important to monitor your vendor ecosystem and your potential acquisitions ecosystem to ensure you uncover any issues before they become problematic.
