This feature first appeared in the Winter 2017 issue of Certification Magazine. Click here to get your own print or digital copy.
On September 26, 2016, Yahoo! announced to the world that they were the victim of the largest systematic account compromise in the history of the Internet. Attackers managed to penetrate Yahoo!'s network as early as 2014 and steal account information belonging to more than 500 million Yahoo! users.
News of the breach at Yahoo! rocked the cybersecurity world as use of the service is so widespread, ranging from hosting personal e-mail accounts on the Yahoo.com domain to managing thousands of fantasy football, baseball, and basketball leagues on their servers, and hosting millions of photographs through their Flickr service.
Indeed, it's hard to imagine an American Internet user who hasn't had some need to create a Yahoo! account over the past decade.
The not-usual suspects
In their announcement of the attack, Yahoo! revealed that the attackers walked away with a treasure trove of information. They didn't tell individual users what information was stolen about their account but admitted that the theft included full names, e-mail addresses, telephone numbers, birthdates, and the answers to security questions.
That's more than enough information to wage an identity theft attack against Yahoo! users and access accounts belonging to those users on Yahoo! and other services. While users can't unring the proverbial bell and retrieve their stolen information, they should presume that this information was compromised and take immediate actions to protect themselves online.
Yahoo! described the attack as coming from a source that they "believe is a state-sponsored actor." Without naming a specific country, Yahoo! is alleging that the attack comes from what cybersecurity professionals call an advanced persistent threat (APT).
Unlike the stereotypical hackers of the 1990s who labored away in the wee hours of the morning in a basement lit by the glow of monitors and surrounded by empty pizza boxes, APT attackers are professionals. They are typically highly talented and well-trained cyberwarriors who are employed by military units and intelligence agencies. They work slowly and methodically to undermine the security controls of high value targets and retrieve specific information needed by their employer.
While Yahoo! didn't name the specific country that they suspect of being behind the attack, both China and Russia are known state sponsors of cyberwarfare activity. It is likely the Yahoo! attack originated in one of those two countries.
Why was Yahoo! a target?
At first glance, it might seem surprising that a state-sponsored attacker would focus their time and resources on Yahoo! and its trove of user information. Certainly the Chinese and Russian governments must have better things to do than sneak a peek at your fantasy football roster, or copy your photos from last Thanksgiving, right?
That's absolutely true. The information that the attackers stole, however, can be used for a variety of other purposes. One possibility is that the attack was targeted against a small group of individuals of interest to the attackers, and that they stole the massive number of accounts to mask the identity of their actual targets.
It's also possible that the attackers stole this information as a resource for use in future hacking attempts against targets that they identify later. Either way, it's difficult to guess the true intent or target of the attackers.
When 500 million compromised accounts go unreported
Another obvious question that Yahoo! finds itself struggling to answer is why they're announcing an attack that occurred in 2014 two years after the fact. While it's not unusual for companies to discover a data breach long after the attack initially occurred, that doesn't appear to be the case in the Yahoo! breach.
In a filing with the U.S Securities and Exchange Commission, Yahoo! admitted that "the Company had identified that a state-sponsored actor had access to the Company's network in late 2014." The Financial Times reported that Yahoo! CEO Marissa Meyer knew of the compromise in July 2016 but opted to withhold the information from the public and regulators for two months.
Notably, Yahoo! also failed to notify Verizon of the breach even though Verizon made a $4.8 billion offer to acquire Yahoo! in July. These events will almost certainly become the subject of litigation for many years to come.
Protect yourself: Two-factor authentication
Yahoo! sent e-mail notices of the breach to all individuals that they could identify as affected, but anyone with a Yahoo! account should consider their information compromised, even if they did not receive such a notice. Although Yahoo! believes that plaintext passwords were not compromised during the breach, everyone with a Yahoo! account should change their account password immediately if they have not done so already.
The danger from this breach also extends to other sites where individuals use the same password. Attackers know that it is human nature to reuse passwords and will attempt to use username, e-mail address and password combinations that they obtain from one site to access other, unrelated sites. In fact, this may be one of the driving factors behind the Yahoo! attack — an attempt to gain username and password combinations that might be tried on other sites.
Multifactor authentication is the strongest control that individual users can use to protect their accounts on Yahoo! and other services from future compromises. This technology, also known as two-step verification or two-step login, adds an additional protection to the login process, beyond simply entering a password.
The second step is designed to supplement your password (a "something you know" authentication factor) with proof that you have physical possession of an object (a "something you have" authentication factor). In the case of Yahoo!'s two-step verification process, Yahoo! sends a six-digit code via text message to the user's phone and then requests this code as part of the login process.
This combination of two different authentication factors dramatically increases account security. After all, even if an attacker manages to steal your password, it's much less likely that they will also be able to get their hands on your phone to intercept the authentication code text message.
Yahoo! isn't unique in offering this service. Google, LinkedIn, Evernote, and many other popular web-based services all offer some form of multifactor authentication.
Protect yourself: Credit monitoring
Users affected by the breach should also obtain a free copy of their credit report from the government-sanctioned AnnualCreditReport.com site. After obtaining the report, check for any unusual activity that may indicate identity theft, such as the presence of suspicious accounts.
It's also important to remember that birthdates, security question answers and the other sensitive information stolen in this breach has permanent value and may be stored away and used in an identity theft operation months or years down the road. Individuals who aren't already in the habit of checking their credit reports every few months should make a habit of the process.
AnnualCreditReport.com allows users to pull a credit report for free once per year from each of the three credit bureaus. It's a good idea to stagger these free reports, requesting a report from different agencies every four months. This will allow for quicker identification of suspect activity
Pros and cons of free e-mail
Free e-mail is an attractive concept, particularly for personal use. Google, Microsoft and many other providers offer the same free level of e-mail service that Yahoo! provides consumers and millions of users take advantage of these services. Users get a simple, easy-to-use e-mail system that hides all the technical complexity of managing e-mail service.
Each of these providers employs a talented cybersecurity team dedicated to keeping attackers out of their system. While the Yahoo! breach was a regrettable event, it is the exception, rather than the norm. Users can depend upon major providers to offer a secure, reliable e-mail service that is perfectly acceptable for personal use.
While free e-mail is a great solution for personal use, however, it is unlikely to meet the needs of corporate users who expect higher levels of security and compliance than home users. Enterprise users of e-mail expect the ability to perform advanced filtering of e-mail content, including the use of data loss prevention (DLP) technology that watches for accidental or intentional data breaches and blocks suspicious e-mails before they leave the enterprise.
Corporate legal teams also expect the ability to review and edit the terms of service for e-mail systems to cover compliance obligations and limit liability in the event of a breach. Free e-mail providers simply don't negotiate their terms and don't offer advanced security features.
Building your own e-mail service is not an ideal alternative, either. Creating an e-mail system from the ground up requires talented system administrators who understand the inner workings of e-mail. Most organizations that operate their own internal e-mail services have at least two full-time staff members (if not more!) dedicated to maintaining their e-mail environments.
These systems also require significant capital investments in software licenses, server hardware and storage. Operating an e-mail service can quickly become a major financial, technical and administrative hassle that doesn't provide a significant return on investment.
Paying for "free" e-mail
Fortunately, there is a middle-ground alternative for companies seeking to gain the efficiencies of outsourcing e-mail, but who are justifiably reluctant to move to a free provider. Google, Microsoft and other e-mail providers offer a paid tier of service that provides many additional security features, complies with legal and regulatory obligations and offers contract terms customized to each enterprise environment.
For example, Google's Gmail service offers enterprise customers the ability to perform DLP scanning on outbound e-mail, preserve messages subject to litigation holds and electronic discovery, integrate with enterprise authentication services and comply with stringent external security requirements.
Major providers contract with well-known audit firms to conduct regular assessments of their security controls and then make these reports available to their corporate customers as an added degree of assurance. This software-as-a-service approach to e-mail is rapidly becoming the most common way that many large organizations provide their users with e-mail service in a secure fashion without the service becoming a drain on corporate resources.
There are many lessons to draw from the Yahoo! security breach. Individuals who were — or may have been — directly affected by the breach should take immediate steps to secure their personal information.
Everyone else should use this opportunity to rethink the security controls in place around their online accounts and consider adopting multifactor authentication in as many places as possible. Enterprises should also use this event as a reminder to evaluate their own security controls to protect the sensitive information under their care from attack.
Editor's Note: On Dec. 14, immediately prior to our publication deadline, Yahoo! disclosed a second, separate attack from 2013 that compromised more than 1 billion user accounts. Everybody stop using Yahoo! already. And please double down on your personal protective measures. It's a jungle out there.