Editors' pick: Originally published Dec. 15.
Yahoo!'s (YHOO) recent disclosure that another one billion email accounts was hacked is prompting users who have not already changed their passwords to act immediately.
The security breach that occurred in August 2013 of one billion users was disclosed by Yahoo! on Wednesday. The Sunnyvale, Calif.-based Internet company said the hack is different from the one which affected 500 million users in 2014 and was revealed on September 22. Yahoo!'s stock declined by 4.8% to $38.97 by 1:50 p.m. ET.
The hackers, who have not been identified, stole personal information such as telephone numbers, dates of birth, hashed passwords, along with encrypted or unencrypted security questions and answers in some instances. Yahoo! said their investigation determined that hackers did not steal payment card data or bank account information, because it was stored in a separate system or passwords in clear text. But much of that personal data can be used by cyber crooks to access online financial accounts and compromise the security of people's money.
This immense intrusion demonstrates that even major tech companies can be hacked, said Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defense solutions.
"I think that the biggest frustration looking at this from the outside with the knowledge we have is simply 'how the heck did they miss it?' at the forensic level or the exfiltration layer," he said. "The fact that this quantity of data and this length of hack has continued to go unnoticed and appears to be a separate hit against Yahoo!, smacks of absolute unawareness at some level within the organization for the very basics in security."
Even large, well-capitalized companies are not immune to preventing massive attacks from motivated hackers, said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based security consulting company.
"The newly announced data breach at Yahoo! should come as no surprise to anyone," he said. "It serves as a pointed reminder that simply because an organization is large and arguably, well-funded, one should not assume they are secure."
This latest revelation should reinforce the need for users to change their passwords often and avoid using the same ones for multiple accounts along with refraining from using public WiFi which can be hacked easily.
"Users should always be vigilant and change their credentials on a regular basis, even when used on the websites of very well established and reputable companies," Wenzler said.
Many companies are too lax in their approach to cybersecurity and this news should remind them to update their current protocol.
"Organizations of all sizes should be taking note of these breaches and use this as a good opportunity to review their own security posture to ensure that outdated and weak security measures aren't being used," he said.
The MD5 hashing that Yahoo! was using to protect account information was outdated and has not been considered a "viable security protocol in several years since it is easily cracked," Wenzler said.
Based on the information provided by Yahoo!, this hack was the result of privileged unauthorized third party access, said Joseph Carson, head of global strategic alliances at Thycotic, a Washington D.C.-based provider of privileged account management solutions.
"This has been a common source of many of the data breaches this year," he said. "Yahoo! has stated that they are notifying account holders impacted by this breach which means they are informing, get this, nearly one out of every seven people on this planet."
In addition to changing their password, users need to ensure they also alter their security questions and responses immediately.
"If you have been using the same password with any other account or something similar, then you should consider changing those passwords also," Carson said.
Solutions to Passwords
Stronger cryptographic hashes are readily available and since they are not only fairly easy and inexpensive, more companies should implement this technology across their networks, Wenzler said.
"No company has an excuse to rely on outdated security protocols anymore,and organizations which are lax in reviewing and updating their security programs are simply setting themselves up to be the next victim of a newsworthy data breach, not to mention the reputation loss and financial impact that can come from these types of incidents," he said.
Users who rely on remembering their passwords are using an outdated method and should instead use a password management solution to generate strong and unique passwords for each of those accounts, said Carson.
Enabling multi-factor authentication on email and financial services accounts is critical. Two-factor authentication allows users to check the login records for any potentially unauthorized attempts or abnormal activity, he said.
While the investigation into the hackers who attacked Yahoo! is ongoing, other companies should view this as a warning on how a breach can go undetected for an extended period of time.
"Obviously there's been a ton of criticism against the leadership there, however, it would be good to really understand who knew what, when they knew it and obviously who ignored it," Roberts said. "Not sure we ever will know, but for no other reason than to teach others a lesson we or learn from their mistakes, we should know the truth."