500 million, 1 billion, or even 3 billion; they are just numbers right? The initial data breach disclosure for Yahoo indicated 500 million accounts compromised with up to 10 million accounts still using the same password as the initial breach in 2014. Details about the breach are all over the web, and questions of how two years passed without public disclosure, how the attackers gained access, and what Yahoo did to protect against future attacks, are being answered with very questionable results. Well, a new set of articles appeared on Friday (Hacker News and New York Times) that highlight how cybersecurity can go grossly wrong within an organization.
Yahoo does not know how many accounts where actually compromised.
Due to their internal security architecture, one database provides authentication against all of their services and there is no way of knowing if 500 million accounts or 3 billion accounts were compromised. If hackers had access to the entire database, which they did, the assumption they leaked only parts of the database is ultimately a false assumption. This leads to the questioning of the actual number of accounts compromised and publically announced. While we, as external security professionals, may never know, having accurate facts is critical, and false claims, assumptions and improper public disclosure just make it worse. We cannot learn from our peers’ mistakes and this likely could have lead, or will lead, to a similar breach against businesses architected and secured in the same way.
There is a report that identifies that the internal security team at Yahoo had the nickname “Paranoids.”
What kind of corporate culture names the team that protects all of the crown jewels such a harsh nickname? As security professionals, having some paranoia is good a trait. For a company like Yahoo, I would hope my security team was exceptionally paranoid especially if the reported conflicts between operations, management and executives where true. When management ignores a breach, focuses on future development, does not follow proper protocol for public disclosure, and will not even request all users change their passwords, there is a deep trust and cultural divide than could poison an organization. Teams must respect and trust each other regardless of their personality quirks and diversity. Yahoo is a perfect example of what can go wrong when that balance is not respected.
All of this information comes at one of the worst times possible for Yahoo.
Verizon has an offer of $4.8 billion dollars on the table to acquire Yahoo’s assets. If this breach was properly managed in 2014, its disclosure may not have jeopardized the entire acquisition. All levels of business need to learn some lessons from this debacle. Whether it pertains to proper public disclosure or trusting teams within an organization to make good decisions, in the end (ignoring the potential intent of a malicious or careless insider – different problem for another blog) everyone wants the company to succeed. It is our jobs on the line and our paychecks. Changes in process, security and operations sometimes need to occur to make our businesses more secure. Rejecting them and creating conflict unfortunately only fuels the problems that appear to have affected Yahoo. There are better and more constructive ways for people and businesses to meet these challenges and create a healthy and secure work environment. It starts with honesty, trust and respect.
Keep checking our blog for continuing coverage of the Yahoo breach. For more on how to better manage enterprise credentials and mitigate the risks of outsiders trying to become insiders, contact us today.
Morey J. Haber, Chief Security Advisor
Morey J. Haber is the Chief Security Advisor at BeyondTrust. As the Chief Security Advisor, Morey is the lead identity and technical evangelist at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology, and Vice President of Product Management during his nearly 12 year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board, assisting the corporate community with identity security best practices. He originally joined BeyondTrust in 2012 as a part of the acquisition of eEye Digital Security, where he served as a Product Owner and Solutions Engineer, since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. Morey earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.