1 Billion Hacked Accounts: A Look at the Yahoo Breach

Media Division | December 19, 2016

Experiencing deja vu? Did you think you already heard about the Yahoo email breach?  You may be thinking of the 500 million accounts hacked in 2014, that just got reported in September, 2016.  Scary.  Just about the biggest breach in history.  It took years to discover.

Oh wait, old news.  Here we are three months later, and Yahoo is forced to post another security notice: On December 14, 2016, Yahoo formally announced that 1 billion accounts were hacked in August of 2013, doubling its previous record.

Is It Just Us, or Are Hacks Getting Bigger?

Hacking has various intents: ransomware for a reward, corporate or government espionage, hacktivism, or general chaos.  Scoring a big hack like Yahoo can translate into big dollars, selling information on the black market, but also the company itself is being sold to Verizon.

It’s too probably too late for this hack to affect sale price, but it can devalue a corporation to experience such large hacks in short order.

We don’t know explicitly what information was compromised.  It likely included names and email addresses, but could have also contained telephone numbers, dates of birth, passwords (encrypted, but decipherable with the right tools) and unencrypted security questions and answers.

What the Hack Means for You

The worst part of such a hack?  The likelihood of the next one.  Too many people still use the same passwords between sites.  Birthdates, of course, repeat, and with additional data like phone numbers are easier to correlate to other sites.  Security questions also tend to repeat between sites (once the street where you were born and your mother’s maiden name are known, such data can also be used to pose as you to request a password reset, even if a password is not identified).

Faced with increased likelihood of electronic assault, more companies are creating internal password policies, even beyond what a program might require.  At the very least, passwords should:

• Be long.  An 8-character minimum.
• Contain an upper and lower case letter
• Contain a numeral
• Contain a symbol (* & % $ # @ ! +)

All of the above are detectable by simple password verification software.  Beyond that, internal policies often include requirements that passwords:

• Not be a single word, even an alteration of a word (such as subbing numerals for some letters).
• Not be a previous password with only one small change, such as changing the number the number at the end.
• Not be the same as any previous password.
• Not be the same as the password for any other site.
• Require more frequent password updates (such as twice per year or quarterly, depending on the nature of the business).

One of the biggest risks to an organization’s password strength is repeat password usage, such as when a LinkedIn hack led to the Dropbox security breach.

Requesting employees to agree to using unique passwords is one way companies try to stay proactive about security.  Another increasingly popular security measure is 2-step login.  Sure, you give up a few more seconds of time (and must have the additional security measure, such as a phone that accepts text messages, to hand), but the payoff is a much more secure network.

Going Forward, More Secure

With any luck, more consumers will become aware of basic security measures.  As it stands, people tend to live in certain social circles—the technologically inclined with friends who also utilize basic precautions.

If you think for a moment of anyone who might not be familiar with password security, you have two choices: 1) Let them continue in their naiveté and possibly put at increased risk your own email accounts, networks and internet-connected devices or 2) Forward them this post and let them see how a few simple policies can keep them from being compromised in the next cyber security breach to make headlines.

Your choice.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.