By Morey Haber
Week after week, month after month, and now year after year, we hear the news reports about another large data breach at our favorite companies. Some are trivial and small, and few garnish the title, “the biggest data breach ever of its kind.” What we do not hear, however, is the same company being hacked twice, with the second announcement less than six months after the first, the scope doubling the number of compromised accounts, with a company in negotiations for a major acquisition…and the incidents happened over three years ago; for both.
This unique honor goes to the once flagship leader of the Internet, Yahoo.com.
So why does this matter? It’s just another news story, or is it?
To set the record straight, changing your password on Yahoo.com since the announcement is going to do nothing to protect your personal information. Data stolen from birthdates, addresses, and security questions have been circulating “forever” in Internet time and probably has already been leveraged against you. Three years is an eternity on the net, and the correlation of this information and other breached sources has realistically already provided a profile for your persona for purchase and malicious activity. In addition, if you did not change your password in three years, let alone after the first breach, and you have not experienced any phishing, spam, robocalls, or even rogue charges on your credit cards, consider yourself very special and lucky. Even the best practitioners of security deal with these annoyances on a regular basis and it is only a matter of time based on your digital presence that you will too.
So, what is the point in caring if it happened so long ago? Because we are human, make mistakes, and this simple breach can teach us a lot of what to do, and what to do to protect our identities and privileged access to sensitive information. Hackers have had three years to work with this information. What could they have possibly done?
First, if your Yahoo password at the time was the same as other Internet passwords you use (called password re-use), they could have compromised any account that shared that password. If your bank account, work login, or favorite website had fictitious charges, the hackers probably used the information to steal from you. Therefore, do not reuse the same password for work, home, banks or other social media accounts. If one password is compromised (i.e. Yahoo), it can be used at other websites to compromise your integrity. We need to learn to use unique passwords for everything and never the same ones for work and home.
Second, any data breach provides a partial profile for a potential victim. If the data is linked with other hacks or even public information from property records to social media, a hacker has a better chance of compromising any individual. To gather this information publicly, hackers will have employee social engineering tactics that feed on human behavior to get the information they need. For example, avoid social media games that ask personal questions. Facebook games and posts that ask you to share what city you were born in and what your first car was are a dead ringer for common security questions. If you answer them, you are potentially sharing your security questions with everyone and the malicious entity that published them in the first place. If your mail account is compromised too, then this is an easy hack to reset your password and impersonate your account.
Finally, just a straight recommendation to protect any identity that has been breached: Turn on two-factor authentication for signing into websites from new devices. If the web service offers to send you a code via email or even text to validate a new logon, use it. While SMS texting has been proven to be less than secure, and not recommended by security experts, it still provides a better security layer than just a traditional username and password. More complex two-factor authentication is always preferred but a simple extra step can stop a hacker from re-using your compromised credentials.
While these recommendations can help mitigate the risks even from a three-year-old data breach, there is one more important factor to consider; privileges. Every account you create has certain rights. This includes everything from creating new email addresses from your home Internet provider to electronically paying bills. At work, it is the ability to log in to a workstation but be restricted to accessing sensitive information. These are your privileges and is what we at BeyondTrust help companies manage. When possible, do not use your administrator rights, root password, or privileged account. Create one for everyday use that allows you to pay bills but not necessarily open a new charge card. If your computer is compromised, your favorite company hacked, or your password is stolen via other malicious activity, the risks are much lower. Privileged accounts should only be used when absolutely necessary and not for everyday activities. This practice alone could make you one of those special people that were not adversely affected by Yahoo’s (and others) data breach. The hackers have nothing really to work with since your security questions were different for every site, your passwords unique, and when they are tried, can only do basic tasks.
Keep the conversation going
Want to learn more? Join Morey Haber and Sean Martin on January 11, 2017, for an in-depth discussion about the breach details and how they can and will impact our society.
About Morey Haber
With more than 20 years of IT industry experience, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently overseas strategy for both vulnerability and privileged identity management.