“The revelation of Yahoo’s latest hack underscores what many Americans have known for years: All those emails, photos and other personal files stored online can easily be stolen, and there’s little anyone can do about it.”
The only saving grace is that the attackers apparently did not exploit the information for fraud. But their true motives remain a mystery. – New York (API)
Compromised Credentials – Who Gets Hurt?
Besides Yahoo, I mean. I am not going to boohoo for Yahoo. This is about you and me and every person or company with an Internet presence.
How so? Those one billion Yahoo users all work at some company. They all very likely have bank accounts and online payment accounts. They all have online shopping accounts. They all, (OK, most) pay state and federal taxes. They may have charitable contribution accounts and healthcare accounts. The possibilities are practically endless.
I don’t think the hacker’s motive is such a mystery. Acquiring 1,000,000,000 valid, working credentials (yes, one billion!) is like striking the richest gold mine in history. They now possess one billion logon IDs, passwords, birthdates, sets of security questions, phone numbers, email addresses and who knows what else.
Given the known percentage of people that reuse their online passwords, frequently cross-mixing personal and business credentials, it is easy to see what the hackers motive was. $$$.
To answer the paragraph header question – we all are, or will be or might be. Do you have a Yahoo account? More on what you can do to prevent damage later in the article.
The Hacker Goes Phishing
Their next move is to see what else those credential can access. Actually it’s what they have been doing for the last 3 years. The shocker in this story that the just discovered breach began in August of 2013!
Leaked Credentials Make Good bait
Having possession of valid credentials makes Spear Phishing in an organization easier. Knowing the credentials adds the appearance of validity to the ruse and fools the victims. Planting malware is now much simpler. The hacker only needs to log into an account to do their dirty work. Using known security questions may allow the hacker to completely bypass the need for logon ID and password.
The common habit of password reuse makes the hackers job easy and quick. It is a very poor information security practice. Even multi-factor authentication is practically useless in these cases.
The Cascade Effect
There is no information yet that links the Yahoo credentials to any other breach. But history tells us there will be soon enough. Credentials stolen from LinkedIn, Tumblr and MySpace breaches were used in attacks against Twitter, FitBit and Carbonate.
We all remember the IRS and OPM (Office of Personnel Management) breaches because Social Security numbers were taken. The government does not report to details of how the exploits were accomplished, but you can bet that stolen credentials played a part in the action.
What’s Even Better Than Money?
According to a Bloomberg article and video, “more than 150,000 U.S. government and military employees are among the victims” of the Yahoo breach. It is believed that “their names, passwords, telephone numbers, security questions, birth dates, and backup e-mail addresses are now in the hands of cybercriminals. It’s a leak that could allow foreign intelligence services to identify employees and hack their personal and work accounts, posing a threat to national security. These employees had given their official government accounts to Yahoo in case they were ever locked out of their e-mail.”
Yes, you read that right. People whose job it is to protect national security apparently thought their Yahoo account was more critical than their official government accounts.
You cannot make this stuff up!
The Bloomberg video mentions that the hack was discovered when credentials were found for sale on the Dark Web. It also mentions that Yahoo suspects “state sponsored.” Personally, I’m doubtful that this was a state sponsored attacker. There is a simple rule – state sponsored attackers do not sell the data they acquire on the Dark Web.
Authentication and Access Management
Even though the hacker(s) had 3 years to exploit the credentials, there are still immediate actions you can take to protect yourself. This is what you must do now.
Advice to Individuals
Obviously – Change all of your credentials. Change passwords, logon IDs and security questions. I realize you probably have 100 accounts. One hundred unique sets may be impractical, but you can create enough variation that you can avoid using the same combinations on multiple sites. Read up on Information Security and practice good habits.
Never mix personal accounts’ credentials with business accounts.
Advice to Organizations
- The first action is to send an internal memo explaining the impact of the Yahoo breach. Ask employees to determine if they had or still have a Yahoo account. Instruct employees not to use corporate services or personal online services that were accessed with passwords, logon IDs or security questions used for their Yahoo accounts.
- The second action is to assure that all employees change their corporate credentials. A corporate access security refresh is necessary.
- The third and equally critical action is to procure the VeriClouds Credentials Monitoring Service. If you already had our service, you would have known about the leaked credentials as soon as they appeared on the Dark Web.
- Get a tested! Using penetration testing techniques, the VeriClouds Red Team tests your defenses against compromised credentials attacks and shows real evidence of potential weaknesses. Such services should include Social Engineering preparedness assessment.
It has been 3 years since the exploit began because Yahoo was never going to discover it themselves. Successful credentials monitoring requires unique skill sets and “special” contacts in the Dark Web world. It is not a DIY (Detect-It-Yourself) undertaking.
VeriClouds constantly monitors the most widely used online places where stolen user credentials are offered for sale. Our Credentials Monitoring Service can continuously track all those online places in the United States and abroad, and if credentials for your domain are offered for sale, we can immediately contact you to provide details about the accounts.
VeriClouds serves as a trusted security advisor to the Global 500 and other progressive enterprises, helping to safeguard their most important assets and improve their overall security posture. We have domain expertise in several vertical industries. Our industry-specific methodologies and assessments are aligned with our core competencies:
Physical Security Assessments