Takeaways From Yahoo's 500-Million-Account Breach

Melissa Stevens | October 6, 2016 | tag: Vendor Risk Management

Last month, email giant Yahoo announced the compromise of 500 million user accounts—which is being called the largest breach from a single site in history. The breach compromised names, email addresses, telephone numbers, dates of birth, passwords, and some encrypted or unencrypted security questions and answers. 

Before discussing current questions that have arisen from this disclosure and some important takeaways from the Yahoo breach, consider this background information:

In 2012, Yahoo was breached via SQL injection attack, which compromised about 450,000 usernames and passwords.

Fast-forward to the summer of 2016, when murmurs surfaced from the dark web about a larger Yahoo breach that had potentially compromised as many as 100 million accounts. At this time, the assumption was that all the credentials weren’t disclosed in the 2012 breach or that there had been a subsequent hack within the same year that compromised even more accounts.

It turns out that the speculation on when the breach had happened was incorrect, but the rumors of a larger breach were true. Through a press release published on September 22, 2016, Yahoo confirmed that 500 million accounts were compromised in 2014—an attack that had gone unrecognized until mid-2016.

Current Questions About The Yahoo Breach 

Was Yahoo compromised through a "Is Your Latest Acquisition Target as Valuable as You Think?: Cybersecurity Is Essential for M&A Due Diligence"state-sponsored attack?

Yahoo claims that a state-sponsored actor is believed to be responsible for the compromise. There has been some speculation that these claims aren’t well-founded and that the attack was perpetrated by a "cyber criminal gang." We will not comment on the veracity of either claim—but you can read more about the opinions of some from the InfoSec world in this InfoArmor report and this Data Breach Today article.

Will the disclosure of this breach affect Yahoo’s impending acquisition from Verizon?

Yahoo is a very large company, and it maintains a lot of user account information. With its impending $4.8 billion sale to Verizon—and because Verizon is likely very interested in gaining Yahoo’s user and behavioral information through this acquisition—many people are interested in seeing whether the current valuation will be affected.

Examining the cyber risk of an acquisition target is vital—and it’s easier than you might think!

Takeaways

1. Monitor the security posture of your vendor before you merge or acquire.

Mergers and acquisitions (M&A) are commonplace in the business world—but sadly, cybercrime is as well. According to a recent study, 78% of respondents said that cybersecurity is not analyzed or quantified in depth during the M&A due diligence process. If you are evaluating a new merger or acquisition, we strongly suggest that you do not neglect information security and perform security assessments as part of your diligence process.

2. Pay attention to common attack vectors.

Of course, not every company handles the same volume of information as Verizon, but the same general security practices apply across the spectrum. We don’t yet know how Yahoo was compromised in this attack, but it is possible that they fell victim to a common attack vector—for example, a phishing attack that compromised some employee user credentials (thus potentially allowing the hacker to acquire the database of sensitive information) or another SQL injection attack (the cause of the 2012 breach).

Ensuring that your databases are constructed in a way that help you avoid SQL injection vulnerabilities and that your employees are cognisant of potential phishing schemes are both important to your cybersecurity posture.

In Summary

Yahoo was very late to the game in terms of catching and trying to remedy this breach, and news of the breach could have serious consequences during their acquisition from Verizon. While this lends a great deal of credence to the idea of continuously monitoring your own ecosystem, it’s equally important to monitor your vendor ecosystem and your potential acquisitions ecosystem to ensure you uncover any issues before they become problematic.

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...

READ MORE »

5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.

READ MORE »

5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...

READ MORE »

Get the Weekly Cybersecurity Newsletter.