Area 1 Security Talks with San Francisco Chronicle About Yahoo Breach 10/4/17
Yahoo said Tuesday that the number of people impacted by a massive security breach in 2013 was three times larger than it had originally announced — meaning all accounts were affected.
Roughly 3 billion accounts were breached, the company now says, up from its earlier estimate of more than 1 billion.
The company has yet to disclose the cause of the breach. The new information emerged after Verizon Communications Inc., which purchased Yahoo for $4.48 billion in June, received more intelligence about the breach with the help of outside forensic experts.
Analysts believe this is the nation’s largest security breach based on the number of accounts affected. Some consumer advocates said it was inexcusable that the information was just being released now.
“It was outrageous that it took (Yahoo) three years on the first announcement, and now it’s unbelievable that a year later that they are saying, ‘Oops, it was three times what we thought,’” said John Simpson of privacy advocate group Consumer Watchdog. “These guys shouldn’t be in the Internet business.”
Information that could have been stolen from the accounts include names, phone numbers, addresses and birth dates. Verizon said it does not believe credit card, bank account data or passwords in clear text were illegally accessed. But cybersecurity experts caution that even basic information can be used to inflict harm and score big returns.
Phishing, a simple yet wildly effective tactic used by cybercriminals, works best when the attackers have enough personal information to present people with emails and messages that appear to be authentic — from a bank, Internet service provider, school or even an employer. The more familiar and trustworthy a message looks, the more likely it is that the recipient will click on a link that may be infected with malicious software, known as malware, or provide further information about themselves that can be used in other cybercrime.
“We treat each one of these attacks as a stand-alone problem, but really, they’re just the launching point of what could come next,” said Oren Falkowitz, CEO of cybersecurity firm Area 1 Security, which specializes in phishing scam prevention. “Details pulled from your Yahoo account and a Social Security number from the Equifax breach can be put together to make for a very convincing phishing attack. That’s where the real danger is.”
Yahoo says that it continues to work with law enforcement, and Verizon says the Yahoo team is taking “significant steps to enhance their security.”
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Verizon’s chief information security officer, in a statement.
The 2013 breach is part of a series of mishaps for Yahoo, including a 2014 hack that affected at least 500 million accounts. The U.S. government believes people employed by the Russian government were connected to that hack. The breach was disclosed after Verizon announced it planned to buy Yahoo, and new terms of the deal were later negotiated, including a reduction in the acquisition price.
U.S. Sen. John Thune, R-S.D., chairman of the Senate’s Committee on Commerce, Science and Transportation, said his group will call on Yahoo and Equifax to testify about their recent breaches. Equifax, a credit reporting company, said it had a breach that could have affected about 146 million Americans.
“I expect witnesses to think hard about their obligations to consumers and offer a sober assessment of remaining risks that could be the subject of a future announcement,” Thune said in a statement.
Falkowitz, a former National Security Administration analyst, said he cleared out his Yahoo account after the company first announced in 2016 the breach of 1 billion accounts. He said he would advise all those affected — including the 2 billion users who may have just found out their accounts were compromised four years ago — to do the same.
“The best thing people can do is say, ‘You know what? I gave you my account, I let you monetize it and you didn’t do anything to protect me, and I’m no longer going to trust you,’” he said. “It’s unacceptable. People need to vote with their dollars and their actions to really push these companies to do differently.”
From 2012 to the day Yahoo was sold, it employed three chief information security officers — a trend that analysts say indicates the high demand for people who have the necessary skills to combat sophisticated cyberattacks. In 2013, when Yahoo’s breach occurred, the company didn’t have a permanent information security chief.
Still, the earlier disclosure of the breaches last year did not significantly impact Yahoo’s traffic in the months after the announcements, and analysts said they did not expect users will change their minds with Yahoo’s recent announcement.
“One billion versus 3 billion user breach won’t make a consumer difference,” said Patrick Moorhead, president of Moor Insights and Strategy. “If consumers haven’t left already, they likely won’t leave.”
How Yahoo’s security breaches unfolded
August 2013: Yahoo experiences a security breach by an unnamed third party.
Late 2014: At least 500 million Yahoo accounts are hacked in a separate breach.
July 2016: Verizon says it plans to buy Yahoo for $4.83 billion.
September 2016: Yahoo discloses information about the 2014 hack.
December 2016: Yahoo publicly says more than 1 billion accounts were breached in 2013.
June 2017: Verizon buys Yahoo for the reduced price of $4.48 billion.
October 2017: Yahoo says all 3 billion accounts were affected in the 2013 hack.