It appears that the entire security world is waiting for Yahoo to make an announcement about one of the largest breaches yet. It’s expected to have affected at least (probably more than) 200 million user accounts. My inbox began flooding with the news first thing this morning, and I admit, I don’t recall such a reaction for the anticipation of an announcement that, as Graham Cluley wrote in his blog, may or may not come.
The speculation of this massive breach was first reported by Recode, adding:
Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and one was selling them online. ‘It’s as bad as that,’ said one source. ‘Worse, really.’
A cybercriminal known as Peace is allegedly selling the personal credentials of the compromised accounts. The announcement comes just as Verizon is poised to purchase Yahoo for nearly $5 billion. There are some who believe the timing of the data sale, forcing the announcement of the breach, is no coincidence. As Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS, told me in an email comment, this news adds serious baggage to the sale, but it shouldn’t be a deal breaker.
But for the rest of us? The outlook is not as promising, as Gates stated:
Today, organizations of all sizes are taking measures to ensure a breach does not happen to them. Unfortunately, it has not stopped hackers from succeeding on a global scale. Hackers understand how to erode your defenses, consume your resources, control your systems, and eventually steal your data.
The news puts a spotlight on the risks of free email services and, in turn, how it can put businesses at risk. For example, in an email conversation, I learned that Brian Stafford, the CEO of Diligent, a company that provides software for secure board of director portals, has been examining the use of free email services among board members. These are the people among the most elite in the business world and yet more than 30 percent of them are using free email, according to Stafford’s research. Gmail leads the pack, with Yahoo standing third with nine percent usage. As Stafford said in the email comment:
Ranking at number three, the Yahoo breach could affect more than average consumers, and start involving company confidential information.
This was a study of board members only. Now think of how many everyday employees are also using Yahoo or other free email accounts? Then expand it a bit further to other accounts that may use Yahoo’s services. I asked Joseph Carson of Thycotic whether those accounts would be included in this hack. He told me:
While the details have yet to be disclosed, it is likely that those accounts have also been impacted. Yahoo typically requires a Yahoo account and links them together so that both accounts could be used to access those services. Therefore, this is more than just email accounts and the impact could be huge.
But right now, until Yahoo makes that announcement, all we can do is wait and speculate. Until we’re given details, we don’t know the true extent of the breach or the cause of it. But as we wait, it would behoove us to pay attention to something Cluley wrote:
As before, my advice to Yahoo (and other internet) users is that your online accounts will be a whole lot safer if you have not made the mistake of reusing passwords between different sites, and have enabled two-step verification. . . . Not to pass the buck, but everyone going online today needs to be sensible about their security and take the necessary precautions and steps to reduce the chances of their own accounts being compromised.
Do you know how many of your employees may be using free email services on your network, putting your company data at risk?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.