Quick to blame a state-sponsored organization, Yahoo announced at least 500 million of their account holders had their information stolen – in 2014.
A statement released on September 22, 2016, by Yahoo’s Chief Information Security Officer, Bob Lord, says that the hackers likely have, “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” Yahoo says that the “on-going” investigation suggests no payment card data or bank account information was stolen. Nevertheless, they advise users to monitor their accounts for suspicious activity.
At this point Yahoo has revealed very little about the investigation. But its statement did say that there is “no evidence that the state-sponsored actor is currently in Yahoo’s network.”
What the statement noticeably does not say is why it took Yahoo so long to disclose the hack. In August, cybercriminal “Peace” claimed to have account information for over 200 million Yahoo users. At the time, Yahoo confirmed it was aware of the claim, but it was unclear if it was legitimate and Yahoo made no statement regarding the security of user information. This begs the question, when did Yahoo become aware of the hack?
As the investigation continues Yahoo will be held accountable to answer that question as well as several others. And while it has barely been 24 hours since the announcement there are takeaways from Yahoo’s breach. First, any business with sensitive information must always think defensively. Assume your network is constantly under attack and prepare accordingly. Otherwise, be ready to explain to shareholders and customers why your network was compromised. Secondly, routinely monitor your network – just because you did not detect the breach, does not mean the breach did not occur. In other words, don’t wait for a cybercriminal on the dark web to start selling sensitive information stolen from your network before you secure your network.
And lastly, do not become complacent with your security. From low end hackers to state-sponsored organizations, criminals are constantly crafting new ways to steal data so your network must be equipped to handle the attacks. Because whether we like it or not, data breaches are here to stay – just ask Yahoo and about 500 million users.