NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

The Yahoo Breach Is Much, Much Worse Than Originally Announced

October 3, 2016

  • Blog
  • Archive

Yahoo Breach

500 million, 1 billion, or even 3 billion; they are just numbers right? The initial data breach disclosure for Yahoo indicated 500 million accounts compromised with up to 10 million accounts still using the same password as the initial breach in 2014. Details about the breach are all over the web, and questions of how two years passed without public disclosure, how the attackers gained access, and what Yahoo did to protect against future attacks, are being answered with very questionable results. Well, a new set of articles appeared on Friday (Hacker News and New York Times) that highlight how cybersecurity can go grossly wrong within an organization.

Yahoo does not know how many accounts where actually compromised.

Due to their internal security architecture, one database provides authentication against all of their services and there is no way of knowing if 500 million accounts or 3 billion accounts were compromised. If hackers had access to the entire database, which they did, the assumption they leaked only parts of the database is ultimately a false assumption. This leads to the questioning of the actual number of accounts compromised and publically announced. While we, as external security professionals, may never know, having accurate facts is critical, and false claims, assumptions and improper public disclosure just make it worse. We cannot learn from our peers’ mistakes and this likely could have lead, or will lead, to a similar breach against businesses architected and secured in the same way.

There is a report that identifies that the internal security team at Yahoo had the nickname “Paranoids.”

What kind of corporate culture names the team that protects all of the crown jewels such a harsh nickname? As security professionals, having some paranoia is good a trait. For a company like Yahoo, I would hope my security team was exceptionally paranoid especially if the reported conflicts between operations, management and executives where true. When management ignores a breach, focuses on future development, does not follow proper protocol for public disclosure, and will not even request all users change their passwords, there is a deep trust and cultural divide than could poison an organization. Teams must respect and trust each other regardless of their personality quirks and diversity. Yahoo is a perfect example of what can go wrong when that balance is not respected.

All of this information comes at one of the worst times possible for Yahoo.

Verizon has an offer of $4.8 billion dollars on the table to acquire Yahoo’s assets. If this breach was properly managed in 2014, its disclosure may not have jeopardized the entire acquisition. All levels of business need to learn some lessons from this debacle. Whether it pertains to proper public disclosure or trusting teams within an organization to make good decisions, in the end (ignoring the potential intent of a malicious or careless insider – different problem for another blog) everyone wants the company to succeed. It is our jobs on the line and our paychecks. Changes in process, security and operations sometimes need to occur to make our businesses more secure. Rejecting them and creating conflict unfortunately only fuels the problems that appear to have affected Yahoo. There are better and more constructive ways for people and businesses to meet these challenges and create a healthy and secure work environment. It starts with honesty, trust and respect.

Keep checking our blog for continuing coverage of the Yahoo breach. For more on how to better manage enterprise credentials and mitigate the risks of outsiders trying to become insiders, contact us today.

Photograph of Morey J. Haber

Morey J. Haber, Chief Security Officer, BeyondTrust

Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.