Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

The Yahoo Breach Is Much, Much Worse Than Originally Announced

October 3, 2016

  • Blog
  • Archive
Yahoo Breach 500 million, 1 billion, or even 3 billion; they are just numbers right? The initial data breach disclosure for Yahoo indicated 500 million accounts compromised with up to 10 million accounts still using the same password as the initial breach in 2014. Details about the breach are all over the web, and questions of how two years passed without public disclosure, how the attackers gained access, and what Yahoo did to protect against future attacks, are being answered with very questionable results. Well, a new set of articles appeared on Friday (Hacker News and New York Times) that highlight how cybersecurity can go grossly wrong within an organization.

Yahoo does not know how many accounts where actually compromised.

Due to their internal security architecture, one database provides authentication against all of their services and there is no way of knowing if 500 million accounts or 3 billion accounts were compromised. If hackers had access to the entire database, which they did, the assumption they leaked only parts of the database is ultimately a false assumption. This leads to the questioning of the actual number of accounts compromised and publically announced. While we, as external security professionals, may never know, having accurate facts is critical, and false claims, assumptions and improper public disclosure just make it worse. We cannot learn from our peers’ mistakes and this likely could have lead, or will lead, to a similar breach against businesses architected and secured in the same way.

There is a report that identifies that the internal security team at Yahoo had the nickname “Paranoids.”

What kind of corporate culture names the team that protects all of the crown jewels such a harsh nickname? As security professionals, having some paranoia is good a trait. For a company like Yahoo, I would hope my security team was exceptionally paranoid especially if the reported conflicts between operations, management and executives where true. When management ignores a breach, focuses on future development, does not follow proper protocol for public disclosure, and will not even request all users change their passwords, there is a deep trust and cultural divide than could poison an organization. Teams must respect and trust each other regardless of their personality quirks and diversity. Yahoo is a perfect example of what can go wrong when that balance is not respected.

All of this information comes at one of the worst times possible for Yahoo.

Verizon has an offer of $4.8 billion dollars on the table to acquire Yahoo’s assets. If this breach was properly managed in 2014, its disclosure may not have jeopardized the entire acquisition. All levels of business need to learn some lessons from this debacle. Whether it pertains to proper public disclosure or trusting teams within an organization to make good decisions, in the end (ignoring the potential intent of a malicious or careless insider – different problem for another blog) everyone wants the company to succeed. It is our jobs on the line and our paychecks. Changes in process, security and operations sometimes need to occur to make our businesses more secure. Rejecting them and creating conflict unfortunately only fuels the problems that appear to have affected Yahoo. There are better and more constructive ways for people and businesses to meet these challenges and create a healthy and secure work environment. It starts with honesty, trust and respect. Keep checking our blog for continuing coverage of the Yahoo breach. For more on how to better manage enterprise credentials and mitigate the risks of outsiders trying to become insiders, contact us today.
Photograph of Morey J. Haber

Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust

Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

A Zero Trust Approach to Windows & Mac Endpoint Security

Whitepapers

Mapping BeyondTrust Solutions to the Qatar National Information Assurance Policy v2.0

Whitepapers

KuppingerCole Executive Review - BeyondTrust Endpoint Privilege Management

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.