Yahoo hit with second, larger data breach in last quarter.
Less than 3 months after Yahoo admitted that data from at least 500 million accounts had been stolen, they are in the spotlight again, this time for an even bigger data breach. On December 14, Yahoo disclosed that data associated with more than 1 billion users was stolen in August 2013, marking the biggest known hack of user data ever.
The stolen user data involves names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers. The one silver lining is that no financial information was compromised. Although Yahoo is notifying users who may be affected, if you had a Yahoo account in 2013 or 2014, it is best to reset your passwords and security questions on any account that used the same information immediately.
This new breach raises more concerns about Yahoo’s security precautions. Yahoo’s passwords were hashed with MD5, a hashing algorithm that, in 2008, Carnegie Mellon’s Software Engineering Institute said: “should be considered cryptographically broken and unsuitable for further use.”
Security often took a back seat, according to former Yahoo security staffers. Yahoo’s long-time financial struggles didn’t help either. When growth stalled, senior security staff left for other companies, which meant the chances of getting approval for expensive upgrades were low and changes to the user database took forever. Even when the company was growing, security was never the main focus. New tools and features requested by the security team were turned down because they were too expensive, too complicated or too low a priority.
Yahoo’s security breach and the prevalence of large-scale corporate and government hacks over the past few years demonstrates the failings of many institutions to invest enough resources in securing their networks and digital infrastructure. Companies may feel they can’t prioritize security expenses in their budget or that a hack may not happen to them, but realistically any large corporation could be targeted by hackers.
“Yahoo’s case is not unique. Only its scale is troubling,” said a security expert at the University of Buffalo.
Security should always be a priority. Cybersecurity prevention should include strategies to further strengthen prevention, detection, and comprehensive response processes and companies should invest enough resources to ensure these strategies stay current.
For more information about the latest developments in cybersecurity and how to keep your business safe, get in touch with CyberStreams at (425) 2 or firstname.lastname@example.org.