As if the data breach of 500 million users’ accounts in 2014 wasn’t bad enough, Yahoo has just discovered that it was the subject of the biggest data breach in history when, back in 2013, more than one billion user accounts were compromised.
What Happened?
According to a statement from Yahoo, hackers used a method known as ‘forged cookies’ to enable them to gain access to users’ accounts. These cookies were pieces of code which, when planted in a user’s browser cache, the Yahoo website didn’t require a login every time it was accessed. This meant that the cyber criminals behind the scheme were then able to use this vulnerability to pose and be misidentified as a user, and get into their account without needing a password.
Email Account Breach
In this case, email accounts were breached and it is not thought that any stored payment card and bank account information were taken. One big problem is however that emails contain all kinds of sensitive and personal details such as bank details, family details, and even passwords.
Password Sharing
Another danger of having your email password stolen by hackers is that many people use the same password for multiple purposes, e.g. as their login to retailer accounts. Hackers are therefore known to compile databases of them, and to test combinations of stolen login details on other websites e.g. Amazon in the hope that password sharing will enable them to gain entry.
State Sponsored Breach
It has been reported that Yahoo believes that the one billion plus user data breach is likely to have been ‘state sponsored’.
Letter From U.S. Senators
Some security commentators have suggested in recent years that Yahoo had been falling behind its peers in terms of blocking spam and email-based attacks. It has also been reported that after Yahoo’s announcement in September about its huge data breach back in 2014, six US senators sent Yahoo a letter. The letter voiced their concerns, asked when Yahoo had actually found out about the breach, and stated that the long delay between the breach and its announcement was ‘unacceptable’.
What Does This Mean For Your Business?
If you are a Yahoo email account holder, the advice from the company is to change your passwords and security questions/answers, and to change the answers for any other accounts on which you used the same or similar information. You are also advised to review your Yahoo account(s) for any suspicious activity. Yahoo also suggests that account holders should beware of unsolicited communications asking for personal information or referring them to web pages, and to avoid clicking links or downloading attachments from suspicious emails. Yahoo is also offering users the ‘Yahoo Account Key’ tool which gives authentication without the need a password.
For businesses and individuals alike this story emphasises the need to be vigilant online, to set very strong passwords and not to share passwords between different websites.