In late 2016, Yahoo disclosed its discovery of a second data breach (occurring in August 2013) exposing more than a billion user accounts. This is a distinct and separate breach from the much-publicised, and heavily scrutinised announcement in September 2016 of an incident that exposed more than 500 million user accounts. These two breaches followed almost identical footprints, and together, have affected a potential 1.5 billion users.
It seems that similar incidents are happening almost daily, and there's no knowing who could be next. Conversations are transitioning from “how can I avoid a breach?”, to “how can I protect myself and minimise the damage”.
The 2016 Verizon Data Breach survey revealed that 63 percent of confirmed data breaches involved weak, default or stolen passwords. What compounds the impact of this (or any other) breach is the fact that users consistently have similar or even the same passwords for multiple online accounts such as Yahoo, iTunes, Facebook, Twitter, and even their online banking, purely for the sake of convenience. This can be put down simply to human nature – anything that disrupts activity is avoided, thus users end up re-using the same, familiar password.
So, in this breach or any other, even if the hacker only manages to gain usernames and passwords in this instance, this information along with social engineering tactics, could easily be used to access additional, much more sensitive online identities through further activity with other online services.
The question of how both individuals and businesses protect themselves from this threat is simple to answer in theory. Individuals must accept foregoing some degree of convenience in exchange for security, and stop using similar passwords for online accounts. This also applies to the all too common practice of enabling a website to save a password for access. Typing in your password each time is far less convenient, but yields significant security gains.
Users need to start asking more of any organisation that they trust their personal information to. Considering how the data is being secured and directly requesting the ability to use two-factor authentication is key.
Two-factor authentication is the practice of requiring additional assurance that you are who you say you are when logging on. A password (the first factor) is something you know, while the second factor would be something you have. Think of it as your ATM card and PIN. The most common, and easiest to implement type of two-factor authentication is called the one-time password (OTP). With OTP, after entering your password, the resource you are trying to access will ask for the second factor – a random six or eight digit number that is generated either with a hardware or software token that you have in your possession. The addition of the random number is the one-time password. This one-time password makes it very difficult to hack into the account at a later date even if the hacker has the username and password, they cannot get in without OTP, which is generated by the hardware or software token in physical possession of the user.
From the perspective of organisations (those that are the target of the breach) there are drastic changes to be made. These breaches have an enormous effect not only on the reputation of the organisation but ultimately to the bottom line. This latest breach disclosure by Yahoo has not only repeatedly delayed the much-publicised acquisition by Verizon, but the recently announced US$ 350 million (£280 million) price cut in the deal has been directly attributed to the two data breaches and the associated damage to the company.
When looking in detail at the anatomy of such a breach, often hackers use compromised passwords to gain initial access and then through escalation techniques, elevate privileges until they can use an administrator credential to gain access to the sensitive data they are targeting. Greater control over logging in (via two-factor authentication), and controlling and monitoring privileged accounts can greatly mitigate risk and reduce the exposure surface. Eliminating the sharing of privileged accounts, monitoring what administrators do with those credentials, and implementing a “least privilege” model where admins are only issued the rights necessary to do their job – nothing more, nothing less – is key.
And while there is not enough information about the Yahoo breach to determine if two-factor authentication could have stopped it, or if weak privileged account management was at fault, there is no question that these technologies and practices certainly have and could help in similar breaches.
Contributed by Jackson Shaw, senior director, product management, One Identity
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.