I think we can all agree that it’s been a rough few months for Yahoo!. The company first started making major headlines back in July when it was announced that Verizon would be acquiring the company. From there, everything seems to have gone downhill. In September, Yahoo! announced that 500 million of its users had been hacked, presumably by a state-sponsored hacker. As a result, Verizon (News - Alert) dropped its buying price and Yahoo! even decided to change its name.
For awhile, all had been quiet in regard to the Yahoo! predicament. Yahoo! has been working to win back users by promoting new features on its mail app, and things were maybe even looking up for the company. Unfortunately, I, along with several others, received another email a few weeks ago that Yahoo! had uncovered yet another hacking incident from 2015 or 2016, which was enabled through forged cookies.
Put simply, data from over 1 billion accounts was stolen in 2013, data from 500 million accounts was stolen in 2014 and forged cookies were used in 2015 and 2016 to access accounts. I may not be a mathematician, but it’s pretty evident that those numbers don’t bode well for Yahoo! or its users. And, if you’re anything like me, you’re most likely thinking “enough is enough.” It seems like Yahoo! keeps getting hit time and time again with security issues. Although the company’s executives have been meeting almost daily since announcing the major security breaches during working sessions to improve its cybersecurity, the damage has already been done. At least, that’s the opinion of the Senate committee that questioned Yahoo! on its reaction to the breaches.
After Yahoo! canceled a scheduled briefing with staff from the Senate Committee on Commerce, Science and Transportation earlier this month, Senators John Thune and Jerry Moran sent the company a letter demanding answers. According to a recent post by Kate Conger, the committee demanded to know “the nature of the incident, those affected, and steps the company had taken to identify and mitigate consumer harm, beyond what was already known publicly.”
I think these are questions we’d all like answered, and Yahoo! has finally responded.
Professionals are on the case. It turns out that Yahoo! is working with federal, state and foreign government officials on the breaches. In fact, Yahoo! actually learned about the 2013 hack from a law enforcement agency, so it’s good to know that there are several experts on the case. In addition, Yahoo! has hired a risk management executive to focus on security. “Yahoo! has formalized the role of and hired a functional leader for risk management whose chief mandate is to mature Yahoo!’s (News - Alert) formal information risk management security program,” said a representative from Yahoo!
Preventative measures. The company is expanding its team that tracks Advanced Persistent Threat campaigns, which should help prevent any more state-sponsored attacks. It also follows the NIST Cybersecurity Framework, which, according to Conger, “recommends best security practices for businesses, takes a “kill chain” approach to attack detection, funds a red team to attack its own products and has a bug bounty program to support vulnerability research.”
Okay, so maybe not all of our questions have been answered, but the company addressed some of the biggest ones. Unfortunately, Yahoo! still isn’t being very forthcoming about the number of users that were affected. It told the committee that most of the accounts involved in the 2014 breach were also involved in the 2013 breach. The breach timeline seems to be all over the place, especially because Yahoo! didn’t know about the 2013 breach until 2016, and those involved in the 2015/2016 forged cookies attacks didn’t receive a notification email until February 2017. That’s all a bit unsettling, but apparently Yahoo! has created an independent committee of its board of directors to investigate the timeline further.
Although there are still many questions left unanswered, at least we know the company is taking steps to figure out what happened and prevent any similar attacks from happening again. I, like many others, remain skeptical about Yahoo!, but hopefully the extra measures it’s taking will finally put a stop to its cybersecurity issues.