This data leak has been dubbed the biggest release of personal information since the internet began.
US Senator Mark Warner said its scale ‘puts it among the largest on record’.
Details released included names, passwords, email addresses, phone numbers and security questions. The hack actually took place in 2014, although it was only confirmed by Yahoo last night, as presumably the company was unaware of the hack and exactly what details were released until recently – as is often the case with data breaches.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” said the company in a statement.
>See also: The (2nd) year of the healthcare hack
Earlier this year Yahoo confirmed it was investigating a data breach, which was thought to contain details of around 200 million accounts.
It is yet again an example of how organisations are woefully outgunned and in some cases unprepared for the continuing onslaught of cyber threats, as Jacob Ginsberg, senior director at Echoworx, suggests.
“Unfortunately, this yet again demonstrates that “good enough” is not good enough when it comes to security. Data persists, so even if you’ve taken steps to protect that information, hackers may have the tools to negate these defences six months, one year or three years down the line.”
“If you do the bare minimum now, this won’t do you any good in six months’ time. Simple hashing of passwords isn’t enough – using strong encryption and salting passwords should be prerequisites for any organisation handling account information.”
Despite the massive amount of data leaked, the main concern coming from a range of security experts is how long it has taken to identify the hack.
“While it’s not a surprise to hear the magnitude of users that have been corporate hacked – after all the rise of the digital business means everyone is more or less online these days – what is shocking is the date, 2014,” said Mark Skilton, a professor of practice at Warwick Business School.
“This is far too late for professional cyber security risk management and certainly from the organisational practices inside a company like Yahoo! that one would expect.”
This attack may indeed be a trigger for the US government to “intervene on behalf of protecting people’s identities online (as we’ve seen in the EU with PSD2),” suggests Brian Spector, CEO of MIRACL.
“A new approach is the only solution for moving forward, regardless of the digital business. A distributed trust model that does not send or store authentication credentials on the web can provide a truly secure way of verifying the identity of a user.”
The fallout from the hack could also jeopardise Yahoo’s $4.8 billion deal with Verizon, which would have seen their business core transition to the the global communications & technology giant.
Hacks releasing personal data are far too common, but the scale of the one carried out on Yahoo may be the catalyst for organisations and government to instigate real, significant change.
Until then James Lyne, global head of security research, Sophos has told Information Age 6 key steps for protecting personal data leaked from the Yahoo hack, and in general.
Change your Yahoo password immediately.
Reset this password, if you’re reusing it on other online sites. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
Make all new passwords different and difficult to guess – yes, you need to create different passwords for every site you visit.
Include upper and lower case letters, numbers and symbols to make passwords harder to crack.
Don’t trust password strength meters – these are unreliable and inaccurate.