The Yahoo Hack is unlike any other
Well, another week, another data breach. However, something about this one seems a little bit different... Oh yeah, 500 million accounts' data were stolen! 500 million!!! That's a huge number and may be the largest data breach in history. Many are reporting that it is, but I say 'may be' because honestly who the hell knows? The Yahoo hack came almost 3 years ago, and we're just finding out about it now. There could be an even bigger breach that took place yesterday that somehow we'll find out about 3 years from now. So yeah, this one is different than any other. The size and scope in unlike anything we have seen to date.
There are still a lot of questions that need answering. When did Yahoo know about this? What kind of an attack was it? Were the account credentials sold or posted on the open internet? What does this tell us about security on the web today? These are all great questions that we address below. There's a lot to cover, but I'll do my best to be precise and concise.
First things first
I wouldn't be doing my job if I didn't address this right off the bat. If you have a Yahoo account and haven't changed your password in the last 6-10 months or so, do it RIGHT NOW. Stop reading this post (but don't forget to come back and read the rest!), log on to your Yahoo account, and go through the password reset process. In fact, even if you've changed it recently - change it again. It's not worth having your account completely screwed or worst yet, important information in your email stolen. This can lead to identity theft which is probably the worst possible outcome. If you haven't done it yet, just do it.
OK, so now that we've gotten that out of the way we can get on to analyzing this elephant and examining what it means for Yahoo and internet security as a whole.
So what happened?
Essentially, hackers accessed Yahoo's servers and database and stole about 500 million users' account information. Specifically, Yahoo claims that email address, name, telephone number, date of birth, security questions and answers and the account's hashed passwords. Basically, everything that someone would need to fully access your Yahoo account and anything associated with it.
Right now it sounds like a 'simple' breach. By this I mean they accessed the main Yahoo database most likely by hacking into the servers themselves. It doesn't look like they planted malware on the website and harvested credentials or anything like that. Just a remote server access that should never have happened - at least that's what it seems right now. There hasn't been a whole lot of details about the type of attack it was.
The sheer size of the hack was incredible, but also the amount of information that was stolen is incredible. The fact that they were not only able to get emails and passwords, but the answers to security questions is quite amazing - considering that much of this data was encrypted. Now, will they be able to access the encrypted information? Who knows, but I wouldn't take any chances - change all your passwords and security questions.
Who is responsible?
We have a little more information on this right now, the question is where did this information come from and what is the basis for this assumption? Yahoo has claimed that they suspect a 'state-sponsored' actor to be the one responsible and in the digital security industry the running joke (not really a joke I suppose...) is that this is slang for China (or Russia). As FBI Director James Comey said in 2014:
"There are two kinds of companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese."
Whether this turns out to be true or not will be interesting to see. It seems like there may even end up being a state sponsored investigation into Yahoo and this may ultimately reveal the source of the breach.
So right now, we really don't know who is responsible - but it's interesting nonetheless that even Yahoo has suggested a state sponsored culprit, not an individual or a group. This would lead one to suspect that there may be a little more too this allegation than they are letting on. I'm sure we'll here more about this in the days/months to come. So stay tuned.
it happened in 2014... it's 2016 now...
Yeah so... Why are we just finding out about this now? That's a great question and probably a $10 million+ question for Yahoo. There are about 500 questions that I could write about about if we make the assumption that they've known for 2 years and they didn't tell anyone (this would be terrible). There also could be about 500 months in jail time handed out by criminal trials if this is true (maybe a slight over exaggeration...) but for the sake of this blog we are going to give them the benefit of the doubt and assume they found out pretty recently and are doing the right thing by disclosing that.
However, that may raise questions that paint an even more dire picture about the state of digital/cyber security in the world right now. Think about it. It happened in 2014 and it took Yahoo, one of the largest internet based companies in the world, 2 years to figure out that 500 million of it's users had their complete account information compromised. That's insane. It also says something about the state of digital security in today's world and teaches us another valuable lesson. No one and nothing is safe online.
The cloud and security risk
The cloud has changed everything. We hear it from every major tech service provider. Microsoft, Amazon, Google - you name it, cloud is the marketing buzz word that gets thrown around loosely. What is it? Who cares it's better and more convenient for you so you need it! That's the message. Really it's simply online storage. Storage for what? Anything digital. Videos, Photos, Movies, company files and data, passwords, computer backups, you name it, it's on the cloud. However in this scramble to sell consumers cloud based products and services, these big tech companies have failed to keep up with new and emerging security threats.
The cloud based services offered on the web have become such a large part of our lives, we often take them for granted. We don't think twice before punching our credit card into Amazon when buying something. We don't think twice before sending credit card information, social security numbers and other identifying information via email because it's become second nature to us all. This was all duckies and bunnies for a long time because cyber/web based security was ahead of the game and there wasn't as much risk involved.
That has all changed. The sophistication of cyber threats is increasing. Even countries (like China) are rumored to be state sponsoring hacking against companies in the US and around the world. With the huge increase in ecommerce sales there is more financial information floating around the web than any other time in history. Thus the potential rewards for stolen information are higher than ever. The increase in those rewards has come with an increase in hack attempts and the sophistication in which they are conducted.
What can i/should i do?
So what can YOU do? The honest to god truth is not a whole lot. You're not going to stop buying things on the internet, and let's face it, you like Dropbox and iCloud, photo sharing services, apps that store your passwords. We all like the internet based things that put us at the greatest risk which really puts companies under the gun to greatly increase security on their services.
However, you can think twice. Think twice before you give your credit card information on a website. Think twice before storing it into your browser (and thus your computer, that can be hacked...). Think twice before using that app that holds your bank passwords. Ask yourself, is this something I need? If this gets compromised, am I in trouble? Think twice before you send an email to your kid with your credit card info, because you could be using the next email client to be hacked.
