That the 2013 Yahoo breach tripled – to three billion - the number of affected accounts previously reported demonstrates the far-reaching and ongoing impact of an undetected hack, underscores the cost of unexamined risk, points to the dangers of neglecting vulnerabilities and in the US it will likely renew calls for federal data breach notification legislation, information security professionals said in the aftermath of the revelation by Verizon Communications, which acquired Yahoo earlier this year.
The breach “is now the unfortunate poster child for unexamined risk, as its networks contained long-neglected vulnerabilities for years that eventually led it to becoming the largest global data breach of all time, said Joe Fantuzzi, CEO of RiskVision, who said that Yahoo is “far from the only enterprise that has consistently overlooked critical factors in its risk environment.”
He noted that risk factors, “like a fix engine light that is all too often ignored,” simply don't “disappear” if organisations overlook them. “If your risk environment is like a roadmap, risk factors are literally red flags – a harbinger for the potential of exploitation or a breach down the road,” said Fantuzzi. “While organizations like Yahoo are staffed by armies of security personnel, their risk environment is also incredibly complex and multifaceted, making it easy to overlook critical vulnerabilities if proper due diligence isn't thoroughly conducted.”
The countless assets of global enterprises, too, make them “glaring targets for hackers,” he said, explaining that “going forward, taking shortcuts around risk won't be an option for these organisations, and assessing and prioritising risk won't be a luxury – it will be mandatory in preventing these kinds of devastating breaches down the road.”
Yahoo has paid a steep price for seemingly poor security practices. “Yahoo is now learning for the third time that the most dangerous hack is often the one that goes undetected,” said Vishal Gupta, CEO at Seclore. “As we saw last year, their security protocols deeply impacted business negotiations with Verizon, and yet again, we are seeing Yahoo's name in the headlines for the same breach.” The breach, Gupta said, should serve as “a reminder for all organisations responsible for safeguarding large amounts of user information to shift to a data-centric security model, as they remain highly-valuable targets for hackers, who will continue to come up with inventive ways to infiltrate systems.”
Leigh-Anne Galloway, cyber-security resilience lead at Positive Technologies, said that while “the identity of the hackers, and exactly how they managed to breach Yahoo remains unknown…it's safe to say that this one breach has security implications for more people than ever before.
Though the Yahoo hack “may not have included clear text passwords, or ‘valuable' data such as card details, as we recently saw in the Equifax hack, the accounts are still at risk, and hackers can do a lot of damage with very little information,” Galloway said. “Whether you continue to use these accounts today or not, changing your passwords is the only way to guarantee your personal information is secure.”
She encouraged Yahoo users to change their passwords and those “of all other accounts linked to Yahoo” as well as “Yahoo-owned properties, such as Flickr and Tumblr.”
It's even more important to practice good password hygiene since “consumer-facing breaches can extend beyond personal accounts, potentially exposing the enterprise as well.” SailPoint CEO Mark McClain said. “Data breaches like this can create a domino effect across multiple organisations through the reuse of credentials across personal and business accounts.”
Consumers should “go long” and “be unique” to “make things harder for the bad guys,” McClain advised. “Always be aware of where you are on the Internet and take specific note of anything and anybody that asks you to ‘login' or provide any ‘secrets' or personal information. Opt-in for multi-factor authentication where available.”
The Yahoo breach's expanded victim pool is thought likely to compel US lawmakers and regulators to take action, said Willy Leichter, vice president of marketing at Virsec Systems. "This news will add more fuel to fire for having legal standards on how quickly breach information is revealed and how much detail is required” Leichter said. “As we've seen with the Equifax hearings, even conservatives are calling for legislation moving in the direction of the European GDPR."