The news services have been full of Yahoo!’s security breach over the last 24 hours. The company has issued this notice confirming the gravity of the situation for anything up to 500m users. True though it is that in many cases when there is a security breach like this, not everyone is affected, it’s a lot of people at risk. If you have a Yahoo! account dating from before 2014, when the breach occurred, it’s worth changing the password.
The disturbing thing is that this is only one of the breaches the world has heard about. There is no mandatory idea that a hack needs to be reported when it happens. A few years ago I was at a press conference and someone mentioned the “big Internet outage” of a few years previously. I commented that I hadn’t heard about that one; the response was “we made sure you didn’t”.
Which is understandable when so much of IT depends on confidence. It’s not reassuring, though, to consider that if we’ve heard of this one there are probably others.
Troy Gill, Manager of Security Research at AppRiver, said, “The fact that Yahoo has now confirmed the breach is no surprise – the scale however is. The sad reality is this is the latest in a long list of organisations that have been caught napping when it comes to protecting customers’ data, and I don’t think we’ve seen the last confession yet. In fact as technology infiltrates every facet of our lives, we are only opening the door for these types of events to be both more frequent and by all likelihood more impactful.”
Richard Cassidy, UK cyber security evangelist at Alert Logic, says “Overall this is a considerable data breach, especi§ ally if initial reports citing circa 500million records leaked, are indeed accurate. Furthermore, the data seems to have already been monetized (in part) and firmly distributed via various cybercriminal networks. It is indeed very unfortunate; service providers such as Yahoo will always be a high-value target for bad actor groups on the DarkWeb,”
In fact the experts have queued up with comment – often good sense but it overlooks what needs to happen next, and that is for some sort of legislation or convention by which breaches like this are declared. Yahoo! clients at least know and understand they are at risk, but this happened in 2014. we don’t know whether there are equal breaches in process right now, known but undeclared.