Yahoo hack throws internet insecurity into sharp relief

The massive scale of the credential thefts at Yahoo, LinkedIn, and the other internet firms has focused attention on the seeming inability of American companies to secure their networks against foreign and domestic adversaries.

A Yahoo logo is pictured in front of a building in Rolle, 30 km (19 miles) east of Geneva, December 12, 2012.

Denis Balibouse/Reuters

September 23, 2016

Even in an era of massive data breaches, the one announced by Yahoo this week was spectacular and raises worrisome questions about the continued vulnerability of America's digital networks to increasingly sophisticated adversaries.

Yahoo on Thursday announced that a state-sponsored adversary had broken into its networks and stolen the names, email addresses, phone numbers, birth dates, passwords, and security questions belonging to a staggering 500 million user accounts.

The announcement confirmed earlier rumors about a potential breach at the company. In August, a cybercriminal named "Peace" announced he had put some 200 million Yahoo credentials for sale on the Dark Web. Yahoo had said it was aware of the hacker’s claim but did not confirm it had been breached.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

Peace has put hundreds of millions of similar user credentials stolen from LinkedIn, MySpace, and Tumblr up for sale earlier this year. The data was obtained from intrusions at these firms over the past two or three years. 

Yahoo said the intrusion into its network occurred sometime in late 2014 but offered no explanation on why it was disclosing the breach only now, two months after agreeing to sell its core business to Verizon for $4.8 billion.

The massive scale of the credential thefts at Yahoo, LinkedIn, and the other internet firms has focused attention on the seeming inability of American companies to secure their networks against foreign and domestic adversaries.

Over the past few years, numerous private sector and government organizations have been hit in breaches that have exposed financial data, personal information, health care data and privileged information.

Just this week, for instance, White House officials said that they are investigating reports that hackers leaked First Lady Michelle Obama's passport details and vice president Biden's travel schedules online.

Why Florida and almost half of US states are enshrining a right to hunt and fish

The breaches come at the time when spending on information security is higher than ever. The technology research firm Gartner expects worldwide information security spending to top $81 billion in 2016, up nearly 8 percent from last year.

As organizations such as Yahoo continue to get breached in spectacular fashion, modern enterprises face enormous challenges in stopping hackers.

For companies as large as Yahoo, it can be incredibly difficult blocking every single entry point and avenue for attack, say security experts. The growing use of cloud services and mobile devices has opened up innumerable entry points into the network, making it almost impossible to protect against every single intrusion attempt.

"Despite the size of a company or how large a cybersecurity budget [it may have], there are currently no technology controls or assortment of controls that can defend a company against an attack," says Chris Pierson, general counsel and chief security officer at Viewpost, a provider of online invoicing and payment services.

No current technology controls have proven themselves capable of immediately spotting a sophisticated adversary and minimizing the length of time they spend in a network, Mr. Pierson said.

"Until we can achieve times that are measured in minutes and hours to enable reaction, response, and blocking, all companies are susceptible to compromise," he said.

In Yahoo's case, the company's failure to disclose the breach for nearly two years suggests that it did not have adequate breach detection and response capabilities or that it remained mum despite knowing about it.

Either way, the consequences are likely enormous. The leak has given hackers 500 million new keys to try and break into organizations says Rajiv Gupta, chief executive officer of security vendor Skyhigh Networks.

Many of the username and password combinations may not work or lead nowhere. But some of them will lead to sensitive information, as users tend to reuse login credentials.

Previous incidents show that password breaches can have a significant ripple effect, says Mr. Gupta. "[Extensive] password reuse means even a stolen consumer email or social media password can be the weak link that leads to a data breach."