we found out that up to 500 million Yahoo accounts may have had their account details (user name, password, etc.) compromised in one of the largest breaches in history. If you read between the lines, Yahoo makes sure to call out that most of those passwords were highly encrypted, and that means that the culprits are unlikely to be able to crack and reuse them. But outside of that, there are a number of risks that users are now more exposed to than before this breach became public.
As a security professional, I think about a few things when I hear about this breach and it reminds me of some best practices that I have learned along the way.
- First, never reuse a personal email (like Yahoo) password for personally critical things like banking or corporate environments
- Second, take the risks seriously. Never believe that anyone you trust with your personal information may be compromised and act like that won’t matter
- Always keep backups of your critical data
- Always set recovery keys, have secondary accounts, print out important banking information occasionally, etc.
- Know what is going on in your accounts, credit cards, etc. and know which accounts you have open
- Finally, turn on notification and multi-factor authentication for environments that you really need protected (i.e. banking and work).
Corporate environments – regardless of how much money spent on information security – are bound to occasionally leak information of their customers. Unfortunately, that is the reality of the world we live in now, and why IT security has underwent a shift from prevention to detection and mitigation.
Because this information is out in the wild now, the risk of phishing
just went up simply because attackers know which email addresses to target. Compounding the issue, many corporate users check their personal email from work, and some of them synchronize it to their corporate PC. This is now an avenue to attack that might have been less significant before.
To combat this threat, I believe that a multi-layered set of controls should be in place. Definitely remind everyone to change their passwords, use a personal and enterprise password manager
, and definitely DO NOT use the same account for your personal email as your office email! If you use Yahoo for your email for either, CHANGE IT NOW!
If you are a corporate security person and utilize Yahoo for email for your company or if any of your users use it personally, you should take action to remove access to privileged accounts for these users, rotate passwords, and ensure that everyone is reminded that they could be breached and must take action.