Yahoo disclosed today that they have suffered what they believed to be a ‘state-sponsored’ cyber-attack. The attack itself dates back to 2014. Some 500 million users are believed to have had their personal details stolen in what is believed to be the biggest publicly disclosed cyber breach in history.
The US internet firm which at its height was worth $125bn during the dot.com boom, made a net loss of $4.4bn in 2015 and agreed a sale to global communications and tech giant, Verizon for $4.8bn earlier this Summer (Verizon’s rationale for purchase being the access to Yahoo’s core internet business, which has more than a billion active users a month, which would make it a global mobile media company).
So how does this breach compare with other large scale breaches made public in 2016?
• 2012 LinkedIn – 180 million accounts hacked
• 2010 MySpace – 360 million accounts hacked
• 2012 Dropbox – 68 million accounts hacked
There appears to be a trend of large data breaches announced which have taken place at least two years after the event, giving the hackers a comfortable period to make maximum use of any data they wish to target. The difference with the Yahoo breach revolves around the claims of it being ‘state sponsored’. For consumers this means that the motivations of the hackers could well be focused on specifically targeted individuals, not the wholesale public (not to say that the data isn’t sold on to the cyber underworld). This breach could be focused on particular individuals’ accounts concerning people who have been supressed in free speech in their source country. News of a mass data breach in August could be related to this, but Yahoo’s announcement is a formal acknowledgement versus previous dark net gossip. How this plays out and the degree of malice behind the event, we have yet to find out.
What should users do by way of best practice?
Whether or not someone believes their account has been compromised, it is always good to change passwords regularly and ensure they are strong and unique (an unbroken combination of U/L case characters, symbols and numbers). Multi step verification processes can further stiffen defences. Wrapping this with good antivirus and anti-malware software with security policies and procedures, will protect the majority of businesses.
However, the key factor in any security stance is education; this should be at the heart of all security themes no matter the size of the business. I recommend all Security professionals look to enhance their awareness to be able to educate end users and if you are an end user push for security education if you have not received it. Your security perimeter extends beyond you as an individual to your company and also on to your customers and suppliers.