Yahoo Data breach, 200 million users data allegedly offered for sale on dark web – industry comments

It has been reported that 200 million Yahoo! accounts appear to have been compromised following their appearance on dark web site, TheRealDeal. Usernames, hashed passwords and dates of birth appear to have been compromised. The data sample includes some credentials which correspond with real accounts. Several industry experts offered the following comments:

Stephen Gates, chief research intelligence analyst at NSFOCUS:

It appears that Peace is at it again.  The individual has dumped millions of user credentials from 4-year-old breaches online over the past few months, and has increased his or her income quite significantly – in a relatively short period of time.  Too bad that many of the hard working people all over the world who may have had their credentials breached in these cyber-attacks, spend years trying to make the same amounts of money Peace has made in a few short months.   Happy are those who work for what they earn and don’t take the easy way out by living a life of crime. Maybe Peace will begin to follow their lead and use his or her skills for a more noteworthy purpose.  There are lots of problems in the world that need fixing.  Filling our pockets will solve none of them.”

Lisa Baergen, director at NuData Security:

“All indications are that this is an old breach (2012) prior to Yahoo changing the method in which they store and protect passwords. This dark web “sale” of old data appears to have been triggered by the Sale of Yahoo to Verizon. The “hacker” sent his demand for extortion to the Verizon CISO, who appears to not have taken the bait… and now the data is “for sale”.

This hack illustrates that the software industry, as a whole, needs to stay vigilant because PII data continues to be targeted wherever it may live and that hackers aren’t taking the summer off. We’ve pointed out time and time again that data breaches don’t occur in a vacuum. Hackers are making a living by selling this data on the dark web, they do it because they can pay the bills doing it, and what everyone should be asking themselves is why are folks buying it? Because, that data — your data, my data and everyone’s data, gets bought for pennies, bundled up into bigger packages (identity sets) called “fullz”, and used as fuel. Fuel for a much more lucrative project that is making people even more money, and putting their kids through school. These folks don’t give a hoot about you, your privacy and your accounts. They’ll use your stolen credentials and take them over, apply for loans in your name, grab your refund from the IRS, and order that new TV from your favourite online electronics retailers account without even thinking about it. Once you’ve fixed that, they’ll do it again because they know your mom’s middle name and your hometown high-school. And, most of the time, it goes back to the breach. The infinite feed source.

That’s why behavioural biometrics analysis is so necessary. Using this intelligence, fraud can be stopped at any point where there is an authentication test because the software is so good at determining who’s a real user and who is a fraudster. Companies using these tools have a much more accurate understanding of the user, and a lot more options. Fraudsters logging in with your valid credentials just don’t get through because they don’t behave like you. Period.

Breaches may not be 100% preventable, but it is possible to prevent hackers from being able to use the data they steal in these incidents, effectively making it worthless. At the very least, behavioural biometrics and analysis would prevent fraudsters from taking the Yahoo data and leveraging it elsewhere.”

David Gibson, VP of strategy and market development at Varonis:

“These large-scale data dumps continue to chip away at our privacy. While specifics like account data, passwords and user preferences may have comparatively low value in the short term, over a longer time horizon data dumps will continue to make it easier for hackers to aggregate and establish a clear identity of their victims, especially as the sophistication of the aggregated data dumps advance. This Yahoo breach goes to show how a single significant breach can come back to haunt a business (and its customers) again and again. It also highlights just how in-the-dark companies typically are after a breach. After a breach occurs we usually see a statement claiming that the security team has “isolated the affected systems,” but seasoned security researchers know that far too often the scope and severity of a breach is indeterminable due to a lack of comprehensive monitoring and logging.

Our observations suggest that businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs. Spear phishing attacks that provide hackers with valid credentials are increasing in frequency and sophistication, so administrators and security practitioners should assume that if their networks aren’t already breached, there’s a good chance they may be some day.

When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.

Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”

Simon Crosby, CTO and co founder of Bromium;

“This incident at Yahoo will be a wake-up call for people, but it’s not the first. Certainly it will provide a clear message to chief execs that if something like this happens then they can expect to be paraded in front of a voracious media – and they’d better have some good answers to some tough questions. Businesses have no excuse that they were not aware nor prepared for such attacks. They’ll need to prove that they took all reasonable steps to protect themselves. How they respond may be the difference between a damaging incident, and fatal disaster.

Users need to be vigilant. If you use any services whose data, if stolen and made public, could be used against you, then edit your profile now to include false information and a fake email address, or an alternative, randomised, non work email address from an online provider. Users should also be on the lookout for strange looking emails from friends who you would normally trust – their account might have been compromised. Finally, reset your online service passwords such as your bank, if you think your email may have been compromised, since many SaaS apps use email to confirm password changes.”