When I posted my blog on Thursday, we were waiting to see if Yahoo was going to make an announcement about a data breach. Of course, shortly after it posted, Yahoo’s announcement did come and it was more shocking than I think most of us expected.
First of all, that 200 million users affected was way low. It is more than 500 million user accounts compromised, a greater number than the U.S. population.
Second, it is believed that the breach was caused by state-sponsored actors, but Yahoo isn’t saying much more than that. To that point, Vishal Gupta, CEO of Seclore, told me in an email comment:
The fact that the Yahoo breach is being tied to state-sponsored actors is extremely alarming. The fallout from this attack could be devastating. For example, this nation now has access to 500 million phone numbers. With talk of Russian attempts to influence the election, it isn’t difficult to imagine how access to the contact information, and personal details, of that many potential votes could be used maliciously.
Now, we don’t know if this was Russia or who, but I get Gupta’s point. The information gleaned from this breach could be used in ways that we never imagined before.
Third, it took a very long time for this breach to be made public. The story I wrote about Thursday, the release of data by the hacker called Peace, made it appear that this breach was recent. But as eWeek reported:
As it turns out, after its investigation, Yahoo ultimately found no evidence to substantiate Peace's claims of gaining Yahoo user account information by way of a breach that occurred in 2012. That said, after completing the investigation into the alleged 2012 breach, Yahoo's internal security team conducted a broader, deep-dive review of its systems. In so doing, the team identified evidence of a breach by a state-sponsored actor that occurred in 2014.
There is no excuse for a breach taking years to be revealed, and this is something that needs to be addressed in Congress. But I can’t get all worked up over the panic that I’m seeing unfold. That information was compromised two years ago – at least (I’m not sure I completely trust anything being said at this point). Chances are good that a lot of it has been used already in some manner, as Jason Trost from the Anomali Labs team, pointed out to me in an email:
Many people use their Yahoo address as a primary personal address, and primary addresses are often used as the destination for password reset links for other sites – think banking, ecommerce, taxes, health care, etc. So, if this was compromised in 2014, and it was a state sponsored group and Yahoo didn’t know until now, we would suspect that this intelligence has been exploited for quite a while. I would not be surprised if larger service providers or social media companies come out with similar announcements from breaches occurring around the same time, especially if Yahoo shares the details of the attack with its peers.
There have been a lot of recommendations to change Yahoo-related passwords, and I agree. I’m going to go one step further and say that if you reused any of those Yahoo passwords on other sites, change those passwords, too.
And watch out for phishing emails. I already saw one, forwarded to me by a family member, that I’m positive is related to the Yahoo breach, but was very difficult to discern without careful inspection.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.