Yesterday we found out that up to 500 million Yahoo accounts may have had their account details (user name, password, etc.) compromised in one of the largest breaches in history. If you read between the lines, Yahoo makes sure to call out that most of those passwords were highly encrypted, and that means that the culprits are unlikely to be able to crack and reuse them. But outside of that, there are a number of risks that users are now more exposed to than before this breach became public.
As a security professional, I think about a few things when I hear about this breach and it reminds me of some best practices that I have learned along the way.
- First, never reuse a personal email (like Yahoo) password for personally critical things like banking or corporate environments
- Second, take the risks seriously. Never believe that anyone you trust with your personal information may be compromised and act like that won’t matter
- Always keep backups of your critical data
- Always set recovery keys, have secondary accounts, print out important banking information occasionally, etc.
- Know what is going on in your accounts, credit cards, etc. and know which accounts you have open
- Finally, turn on notification and multi-factor authentication for environments that you really need protected (i.e. banking and work).
Corporate environments – regardless of how much money spent on information security – are bound to occasionally leak information of their customers. Unfortunately, that is the reality of the world we live in now, and why IT security has underwent a shift from prevention to detection and mitigation.
Because this information is out in the wild now, the risk of phishing just went up simply because attackers know which email addresses to target. Compounding the issue, many corporate users check their personal email from work, and some of them synchronize it to their corporate PC. This is now an avenue to attack that might have been less significant before.
To combat this threat, I believe that a multi-layered set of controls should be in place. Definitely remind everyone to change their passwords, use a personal and enterprise password manager, and definitely DO NOT use the same account for your personal email as your office email! If you use Yahoo for your email for either, CHANGE IT NOW!
If you are a corporate security person and utilize Yahoo for email for your company or if any of your users use it personally, you should take action to remove access to privileged accounts for these users, rotate passwords, and ensure that everyone is reminded that they could be breached and must take action.
Scott Carlson, Technical Fellow
As Technical Fellow, Scott Carlson brings internal technical leadership to BeyondTrust, strategic guidance to our customers, and evangelism to the broader IT security community. He also plays a key role in developing innovative relationships between BeyondTrust and its technical alliance partners. Scott has over 20 years of experience in the banking, education and payment sectors, where his focus areas have included information security, data centers, cloud, virtualization, and systems architecture. He is also a noted thought leader, speaker and contributor to RSA Conference, OpenStack Foundation, Information Week and other industry institutions.
Prior to joining BeyondTrust, Scott served as Director of Information Security Strategy & Integration with PayPal, where he created and executed security strategy for infrastructure across all PayPal properties, including worldwide data centers, office networks, and public cloud deployments. He led several cross-departmental teams to deliver information security strategy, technical architecture, and strategic solutions across enterprise IT environments. As a member of the office of the CISO, CTO and CIO, Scott spoke on behalf of the company at global conferences. In addition, he was responsible for infrastructure budget management, vendor management, and product selection, while also serving as the cloud security strategist for private OpenStack cloud and public cloud (AWS, GCP, Azure). Prior to PayPal, Scott held similar roles with Apollo Education Group and Charles Schwab.