What happens when a bump in the night turns intoĀ billions ofĀ exposed accounts?Ā Let theĀ hacking of Yahoo be a warning to us all.Ā
An onlineĀ stalwart. AĀ digitalĀ kingpin. AĀ searchĀ giant. PioneeringĀ the early internet,Ā what started as a simple databaseĀ in 1994Ā quickly expanded to becomeĀ theĀ library of web servicesĀ we now know as Yahoo. Offering search capabilities, mail, news, and even an ad platform, there was a time when it would seem Yahoo wasĀ too big to fail.Ā
Was, being the operative word.Ā Like many companies before it (and surely many more to come) YahooĀ neglectedĀ to heed theĀ warnings of cybersecurity experts, leaving the company andĀ allĀ its user data defenselessĀ from attack.Ā Ā
And attack they did.Ā Twice.Ā Ā
According to Yahoo themselves, the first major hit on Yahoo servers took place in mid-2013. Evidence of the exceptionally large data breach was uncovered in 2016 while parsing through data of an entirely different, yet smaller, cyberattack (more on that later). Within this data, agents found a 2015 listing on the dark web offering information on nearly 1 billion Yahoo user accounts to the tune of $300,000.
The specificĀ account informationĀ exposed includedĀ unencrypted security questionsĀ and answersĀ as well as encrypted names, email addresses, and passwords. Many experts agree that the type of encryption used was out of date and easily hackable. So, because folks so regularly reuse account information, this breach immediately put all of the victims’ other accounts at risk as well.
OnceĀ discovered, Yahoo reported the breach and notified all affected users. But the damage was not yet done. Upon further investigationĀ in 2017, YahooĀ officialsĀ revealedĀ that their original estimate of 1 billion accounts compromised wasĀ farĀ too low.Ā Ā
The real number?Ā Over 3 billionĀ āwhich amounts toĀ nearly everyĀ single account Yahoo hadĀ at the time.Ā To this day,Ā the 2013Ā Yahoo hackĀ isĀ the largest known data breach in history,Ā the exact source ofĀ whichĀ stillĀ hasnātĀ been found.Ā Ā
To add insult to injury, as news of the breach above was unfolding, Yahoo was still recovering from revelations of a smaller attack from 2014 as well. Believed to be a state-sponsored attack, this hack leveraged poor cookie management to enter users’ accounts, bypassing password protection. By the time it was officially discovered in 2016, over 500 million accounts were exposed. Eventually, the United States government would try Russian agents and affiliated āhackers for hireā with crimes for the attack. Ā
Just wait,Ā it getsĀ evenĀ worse.Ā Ā
In March of 2017, an internal investigation by Yahoo found that the companyās security team,Ā execs, and some legal staffĀ actuallyĀ knewĀ of the attack in 2014, beforeĀ it was officially reportedĀ two years later. According to aĀ regulatory filing with the SEC, senior members of Yahooās team did not act sufficiently with their knowledge. Following this bombshell, Yahooās top lawyer resigned without severance and CFO Marissa Mayer lost her 2016 bonus, later resigning when Verizon bought Yahoo at an understandably discounted price. Ā
A truly chilling saga, isn’t it?Ā
While Yahoo is, of course, still up-and-running today, it has nowhere near the market share it once enjoyed. With the specter of multiple, history-making data breaches hanging overhead much of the companyās reputation ā and once-valued customers ā have been lost to other web service providers. Ā
Which begs the question: if an enterprise as large as Yahoo could suffer such devastating effects at the hands of cybercriminals,Ā whatāsĀ stopping them from heading afterĀ you?Ā And ifĀ the hack of 3 billion accounts could go unnoticed forĀ nearly threeĀ years,Ā whoāsĀ to say theyĀ havenāt already?Ā Ā
Itās a terrifying thought, but you donāt have to take it alone. Protecting your sensitive information is more important today than ever before; EMPIST is here to help. Learn more about our cybersecurity services by contacting team EMPIST online today.Ā Ā
(Additional Sources: CNN Business, New York Times, NPR, Tech Crunch, Yahoo)