Yahoo hack throws internet insecurity into sharp relief
The massive scale of the credential thefts at Yahoo, LinkedIn, and the other internet firms has focused attention on the seeming inability of American companies to secure their networks against foreign and domestic adversaries.
A Yahoo logo is pictured in front of a building in Rolle, 30 km (19 miles) east of Geneva, December 12, 2012.
Denis Balibouse/Reuters
Even in an era ofÌýmassive data breaches, theÌýone announced by Yahoo this week was spectacular and raises worrisome questions about the continued vulnerability of America's digital networks to increasingly sophisticated adversaries.
Yahoo on Thursday that a state-sponsored adversary had broken into its networks and stolen the names, email addresses, phone numbers, birth dates, passwords, and security questions belonging to a staggering 500 million user accounts.
The announcement confirmed earlier about a potential breach at the company. In August,Ìýa cybercriminal named "Peace"Ìýannounced he had putÌýsome 200 million Yahoo credentials for sale on the Dark Web. YahooÌýhad said it was aware of the hacker’s claim but did notÌýconfirmÌýit had been breached.
PeaceÌýhasÌýput hundreds of millions of similar user credentials stolen from LinkedIn, MySpace, and TumblrÌýup for saleÌýearlier this year. The data was obtained from intrusions at these firmsÌýover the past two or three years.Ìý
Yahoo said the intrusion into its network occurred sometime in late 2014 but offered no explanation on why it was disclosing the breach only now, two months after agreeing to sell its core business to Verizon for $4.8 billion.
The massive scale of the credential thefts at Yahoo, LinkedIn, and the other internet firms has focused attention on the seeming inability of American companies to secure their networks against foreign and domestic adversaries.
Over the past few years, numerous private sector and government organizations have been hit in breaches that have exposed financial data, personal information, health care data and privileged information.
Just this week, for instance, that they are investigating reports that hackers leakedÌýFirst Lady Michelle Obama's passport details and vice president Biden's travel schedules online.
The breaches come at the time when spending on information securityÌýis higher than ever. The technology research firmÌýGartner worldwide information security spending to top $81 billion in 2016, up nearly 8 percent from last year.
As organizations such asÌýYahoo continue to get breached in spectacular fashion,Ìýmodern enterprisesÌýface enormous challengesÌýin stopping hackers.
For companies as large as Yahoo, it can be incredibly difficult blocking every single entry point and avenue for attack, say security experts.ÌýThe growing use of cloud services and mobile devices has opened up innumerable entry points into the network,Ìýmaking itÌýalmost impossible to protect against every single intrusion attempt.
"Despite the size of a company or how large a cybersecurity budget [it may have], there are currently no technology controls or assortment of controls that can defend a company against an attack," says Chris Pierson, general counsel and chief security officer at Viewpost, a provider of online invoicing and payment services.
No current technology controls have proven themselves capable of immediately spotting a sophisticated adversary and minimizing the length of time they spend in a network, Mr. Pierson said.
"Until we can achieve times that are measured in minutes and hours to enable reaction, response, and blocking, all companies are susceptible to compromise," he said.
In Yahoo's case,ÌýtheÌýcompany's failure to disclose the breach for nearly two years suggests that it did not have adequate breach detection and response capabilities or that it remained mum despite knowing about it.
Either way, the consequences are likely enormous. The leak has given hackers 500 million new keys to try and break into organizations says Rajiv Gupta, chief executive officer of security vendor Skyhigh Networks.
Many of the username and password combinations may not work or lead nowhere.ÌýButÌýsome of them will lead to sensitive information,Ìýas users tend to reuse login credentials.
Previous incidents show that password breaches can have a significant ripple effect, says Mr. Gupta. "[Extensive] password reuse means even a stolen consumer email or social media password can be the weak link that leads to a data breach."
Ìý