Yahoo recently announced that the data breach exposed data associated with more than one million user accounts. It later said that the breach involves around 500 million user accounts. Affected information includes names, email addresses, phone numbers, birthdates, hashed passwords and security questions and answers.
As per the Yahoo statement, ”The company has not been able to identify the intrusion associated with this theft.”
Yahoo has advised users to change their passwords. Also, security questions and answers need to be changed.
“Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password,” the company stated. “Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies.”
Yahoo mentioned that there is involvement of certain state-sponsored actor.
“Considering the insufficient security measures that were previously reported to be implemented by the last investigation of 500 million stolen accounts, it’s clear that the defense strategy Yahoo used was not keeping up with the times,” Nathan Wenzler, principal security architect at AsTech Consulting said. He also added that large organization is not always secure.
“Users should always be vigilant and change their credentials on a regular basis, even when used on the websites of very well established and reputable companies,” he said.
“Organizations of all sizes should be taking note of these breaches and use this as a good opportunity to review their own security posture to ensure that outdated and weak security measures aren’t being used,” Wenzler added. “Something like the MD5 hashing that Yahoo was using to protect account information hasn’t been considered a viable security protocol in several years, and is easily cracked.”
“At this time anyone who touched Yahoo needs to do some serious housekeeping on all their systems, all of their passwords and all of their accounts to make sure there is no cross contamination.” Acalvio chief security architect Chris Roberts mentioned in the email.
____________________________________________________________________________________________
Alertsec Endpoint Encrypt is the full disk encryption service that also delivers a mobile data protection system for all information stored on laptops used throughout your organization.