Yahoo Discovers Massive Hack Attack – Two Years Late

Yahoo!Yahoo recently discovered that it was the victim of what could be the largest-yet theft of personal data.

According to the Wall Street Journal, Yahoo’s blaming “state-sponsored” hackers for the attack.

Yahoo didn’t reveal which foreign country was allegedly involved. However, Yahoo previously said it had detected hackers tied to Russia in its system in 2014. It’s not clear whether that attack was related to the recently discovered one.

The attack happened at a time when some attacks were attributed to China. More recent attacks, including on the Democratic National Committee, have been blamed on Russia.

North Korea was blamed for an attack on Sony Pictures Entertainment after the studio announced plans to release a satirical comedy mocking North Korea and its leader.

Half A Billion Records Lost

The recently revealed Yahoo attack, which happened late in 2014, led to the theft of personal data on more than 500 million users. Yahoo has one billion monthly users.

Yahoo users are being advised to change their passwords. The company is also invalidating security questions such as “mother’s maiden name.”

This hack attack dwarfs previous known attacks, including the theft of information on 130 million accounts from Heartland Payment Systems in 2009 and the Target breach affecting 70 million customers.

Too Late?

Other major hack attacks have gone undiscovered for months or years. As the Journal reported, Myspace just reported in May an attack that happened in 2013, and LinkedIn reported in May an attack from 2012.

According to the New York Times,

Two years is an unusually long time to identify a hacking incident. According to the Ponemon Institute, which tracks data breaches, the average time it takes organizations to identify such an attack is 191 days, and the average time to contain a breach is 58 days after discovery.

Yahoo didn’t reveal how its system was breached.

What was stolen?

Stolen data included Yahoo users’:

  • names
  • email addresses
  • birthdates
  • telephone numbers
  • encrypted passwords

The company believes the hackers were unable to get unprotected passwords, credit card information, or bank information.

In July, Yahoo started to investigate reports that hackers were offering to sell 280 million Yahoo usernames and passwords. The company initially concluded that the information for sale wasn’t legitimate. However, a broader investigation revealed the network breach.

The company also believes that the hackers no longer have access to its network.

Is the deal still on?

Yahoo, which has been struggling for years, recently agreed to sell its core business operations to Verizon Communications Inc. for $4.8 billion.

In a proxy filing on September 9 related to the Verizon sale, Yahoo said it wasn’t aware of any “security breaches” or “loss, theft, unauthorized access or acquisition” of user data.

Yahoo declined to comment to the Journal on the seeming disparity between the filing and reality.

It’s not clear if the hack attack will affect the planned sale. However, the cost of a data breach, according to the Times, is $221 per stolen record. $221 times 500 million is $110 billion — much more than the proposed sale price.

The New York Times reports that

It is unclear whether security testing — such as a test to see if security experts could break into the Yahoo network — was performed as part of Verizon’s due diligence process before it agreed to the acquisition.

But such security is often overlooked by investors, even though breaches can result in stolen intellectual property, compromised user accounts and class-action lawsuits. To date, no law requires such security checks as part of due diligence. 

How Many Times Has YOUR Data Been Stolen?

The New York Times recently published a calculator to let consumers estimate how many times their personal information has been exposed to hackers, and what types of information was exposed.

In 2014, about half of Americans had their personal information exposed, and many have been victims of identity theft and other data-based crimes.

Protecting Yourself

Whether or not your data has been exposed YET, there are things you can do to protect yourself:

  • Don’t use the same password for multiple accounts.
  • Don’t use easy-to-break passwords like “12345.”
  • Monitor your bank and credit card statements for unusual charges, even small ones.
  • If you were the victim of a breach, you may consider freezing your credit by contacting Equifax, TransUnion, or Experian. This will prevent those who obtain your information from obtaining credit in your name.
  • Use two-factor authentication whenever available.

The Dynamic Encryption Solution

Unfortunately, just practicing good data “hygiene” often isn’t enough to protect yourself from a hack attack.

Effective solutions need to be deployed at the enterprise level, by companies like Yahoo.

Learn more about how PACid’s dynamic data security technology can make hack attacks a thing of the past.