Yahoo! Finally Answers Security Breach Questions

By

I think we can all agree that it’s been a rough few months for Yahoo!. The company first started making major headlines back in July when it was announced that Verizon would be acquiring the company. From there, everything seems to have gone downhill. In September, Yahoo! announced that 500 million of its users had been hacked, presumably by a state-sponsored hacker. As a result, Verizon dropped its buying price and Yahoo! even decided to change its name.

For awhile, all had been quiet in regard to the Yahoo! predicament. Yahoo! has been working to win back users by promoting new features on its mail app, and things were maybe even looking up for the company. Unfortunately, I, along with several others, received another email a few weeks ago that Yahoo! had uncovered yet another hacking incident from 2015 or 2016, which was enabled through forged cookies.

Put simply, data from over 1 billion accounts was stolen in 2013, data from 500 million accounts was stolen in 2014 and forged cookies were used in 2015 and 2016 to access accounts. I may not be a mathematician, but it’s pretty evident that those numbers don’t bode well for Yahoo! or its users. And, if you’re anything like me, you’re most likely thinking “enough is enough.” It seems like Yahoo! keeps getting hit time and time again with security issues. Although the company’s executives have been meeting almost daily since announcing the major security breaches during working sessions to improve its cybersecurity, the damage has already been done. At least, that’s the opinion of the Senate committee that questioned Yahoo! on its reaction to the breaches.

After Yahoo! canceled a scheduled briefing with staff from the Senate Committee on Commerce, Science and Transportation earlier this month, Senators John Thune and Jerry Moran sent the company a letter demanding answers. According to a recent post by Kate Conger, the committee demanded to know “the nature of the incident, those affected, and steps the company had taken to identify and mitigate consumer harm, beyond what was already known publicly.”

I think these are questions we’d all like answered, and Yahoo! has finally responded.

Professionals are on the case. It turns out that Yahoo! is working with federal, state and foreign government officials on the breaches. In fact, Yahoo! actually learned about the 2013 hack from a law enforcement agency, so it’s good to know that there are several experts on the case. In addition, Yahoo! has hired a risk management executive to focus on security. “Yahoo! has formalized the role of and hired a functional leader for risk management whose chief mandate is to mature Yahoo!’s formal information risk management security program,” said a representative from Yahoo!

Preventative measures. The company is expanding its team that tracks Advanced Persistent Threat campaigns, which should help prevent any more state-sponsored attacks. It also follows the NIST Cybersecurity Framework, which, according to Conger, “recommends best security practices for businesses, takes a “kill chain” approach to attack detection, funds a red team to attack its own products and has a bug bounty program to support vulnerability research.”

Okay, so maybe not all of our questions have been answered, but the company addressed some of the biggest ones. Unfortunately, Yahoo! still isn’t being very forthcoming about the number of users that were affected. It told the committee that most of the accounts involved in the 2014 breach were also involved in the 2013 breach. The breach timeline seems to be all over the place, especially because Yahoo! didn’t know about the 2013 breach until 2016, and those involved in the 2015/2016 forged cookies attacks didn’t receive a notification email until February 2017. That’s all a bit unsettling, but apparently Yahoo! has created an independent committee of its board of directors to investigate the timeline further.

Although there are still many questions left unanswered, at least we know the company is taking steps to figure out what happened and prevent any similar attacks from happening again. I, like many others, remain skeptical about Yahoo!, but hopefully the extra measures it’s taking will finally put a stop to its cybersecurity issues.




Edited by Maurice Nagle
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE
Related Articles

How to Protect Your Website From LDAP Injection Attacks

By: Contributing Writer    3/12/2024

Prevent LDAP injection attacks with regular testing, limiting access privileges, sanitizing user input, and applying the proper encoding functions.

Read More

Azure Cost Optimization: 5 Things You Can Do to Save on Azure

By: Contributing Writer    3/7/2024

Azure cost optimization is the process of managing and reducing the overall cost of using Azure. It involves understanding the resources you're using,…

Read More

Massive Meta Apps and Services Outage Impacts Users Worldwide

By: Alex Passett    3/5/2024

Meta's suite of apps and services are experiencing major global outages on Super Tuesday 2024.

Read More

The Role of Technology in Shaping the Future of Affiliate Marketing

By: Contributing Writer    3/5/2024

In the current rapidly growing digital world, affiliate marketing is still one of the most effective ways for businesses to increase their visibility …

Read More

The Steps You Can Take To Improve Customer Service For Your Business

By: Contributing Writer    3/5/2024

When you're in a competitive market, providing exceptional customer service is crucial for the success and growth of your business. Good customer serv…

Read More