Google and Yahoo strengthen security on ads in click fraud crackdown
Businesses have been warned to up their security after tech giant Yahoo revealed it was subject to the second largest data breach ever reported.
Over 500 million accounts were compromised in the data breach, which happened in 2014, and the company is currently taking action to protect affected users.
Yahoo alerted users to the breach in a statement and recommended users update passwords and security questions.
As the full details of the breach are still emerging, here are four things to know.
1. Yahoo says it was performed by a โstate-sponsored actorโ
The breach occurred during 2014, and potential details first surfaced in August via a hacker known as โPeaceโ, who at the time claimed there were 200 million usersโ credentials available. The hacker was attempting to sell them on data marketplace โThe Real Dealโ, reported Vice, but it is not confirmed whether that breach is linked to this one.
Yahoo has since revealed it believes the hacker to be a โstate-sponsored actor,โ and the company is โworking closely with law enforcement on this matterโ. It has advised worried users it believes the hacker does not still have access to the companyโs servers.
Michael McKinnon, cyber security expert at Sense of Security, told SmartCompany cyber terrorism attacks are becoming more common.
โThese big companies with millions of users, they have and always will be a target for these sorts of threats,โ McKinnon says.
โItโs another example of big company that has let us all down, and this just gives attackers extra leverage.โ
2. Security questions were revealed
Yahoo has stated the data breached includes โnames, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt)โ.
However, a number of unencrypted security questions were released with the data, which is worrying news for all users affected. Security questions are used as a way of identifying users for password recovery, often featuring topics like the name of a first pet, or your motherโs maiden name.
McKinnon says Yahoo users should definitely be concerned, as there is a โhuge commonalityโ with security questions across different websites.
โWebsites always ask the same questions, and these are things that are a part of your core online identity,โ McKinnon says.
โTheyโre very difficult to change, and once theyโre known itโs high value for hackers.โ
With the data included in the breach, it would be easy for a hacker to breach other accounts that use the same emails via password recovery systems. Yahoo has said it is taking steps to protect users with leaked security questions, saying it is โinvalidating unencrypted security questions and answers so they cannot be used to access an accountโ.
This is only a solution for Yahoo accounts, and for other accounts McKinnon says the best thing to do is to change your passwords and activate two-factor authentication. Two-factor authentication is offered by many major services, which requires confirmation from a mobile phone or separate email address before changes to a userโs account is made.
Customers who use Yahooโs banking services should not be worried, as the company has stated โthe ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account informationโ.
Stolen passwords are also unlikely to be hacked, due to the bcrypt hashing encryption method used by the company.
A โhashedโ password is indicative of the hashing method used for password encryption, as companies almost never store passwords in plain text. Hashing involves scrambling the password, which can only be unscrambled with a specific key.
A bycrypt method of hashing is โmuch more complexโ says McKinnon, requiring significant computing power to crack.
3. Itโs unclear if it will affect the Verizon deal
Yahoo has been in negotiations with US telecommunications giant Verizon over a massive $US4.8 billion US ($5 billion) deal, which was confirmed in July this year.
The data breach could mean bad news for the deal, but the the anti-breach conditions for the purchase suggest Verizon would not be able to back out, reports Fortune.
Grounds on which the deal could be called off would be if the breach has caused damage to customer trust and usage for Yahoo, or if Yahoo knew about the breach while going ahead with the deal.
As the earliest reports of the breach occurred in August, weeks after the merger was agreed on, this seems unlikely. Verizon has said it will โevaluate as the investigation continues through the lens of overall Verizon interestsโ.
4. Itโs one of the largest security breaches ever
With more than 500 million accounts compromised, it is likely this security breach is one of the largest ever seen. McKinnon says a Russian data breach in 2014 allegedly contained over 1 billion passwords, but it โwasnโt taken very seriouslyโ.
โI certainly think this is one of the largest ever,โ McKinnon says.
In 2013, Adobe revealed 150 million usersโ data was breached, up from 38 million, which it initially claimed.
Earlier this year, social media site MySpace revealed 427 million usersโ data was hacked, which were dumped online for anyone to access.
It is a timely reminder for users to update their passwords, and make them secure.
SmartCompany asked Yahoo how many Australian accounts were affected by the breach and was provided with this statement:
โWe recently disclosed a theft of Yahoo user account information by whatโs believed to be a state-sponsored actor. For those user accounts potentially at risk, we are notifying them and prompting them to take remedial action.
โWeโre committed to keeping our users secure, both by continuously striving to stay ahead of ever-evolving online threats and to keep our users and platforms secure. More information on our ongoing investigation and our efforts to secure our users will soon be available at https://yahoo.com/security-update.โ
This article was first published on SmartCompany.
Comments