The Yahoo Breach: Four Lessons

If the Yahoo data breach has taught us anything, it’s that no enterprise is immune to compromise.

Yahoo revealed late last month that at least 500 million user accounts were compromised during an attack that happened in 2014. Stolen data included users’ names, email addresses, telephone numbers, dates of birth and encrypted passwords.

The exact security holes attackers exploited remains unclear, though security firm Venafi recently told CSOonline’s Steve Ragan that its own investigation pointed to weak cryptographic controls; that 27 percent of certificates exposed externally via Yahoo’s websites hadn’t been reissued since January 2015.

More details are sure to follow, but enterprises and their customers needn’t wait for more news to better defend themselves. Here’s a look at four lessons that, if heeded, can help reduce the risk of attack.

1. Everything must be encrypted. Yahoo encrypted passwords, but it’s unlikely that much else was encrypted. Jeremiah Grossman, chief of security strategy at SentinelOne and a former information security officer at Yahoo, told Consumer Reports, “All the giants—Google, Facebook, Yahoo—will hash passwords, but other data, like your date of birth, they won’t. These are advertising companies, and they need to get to that data easily. Hashing it would be a direct violation of their business model.” The more data companies encrypt, the safer their customers will be.

2. Multi-factor authentication makes it harder for thieves to succeed. Bryce Austin, CEO and strategist with TCE Strategy, noted in an article on LinkedIn that while multi-factor authentication isn’t perfect, it does increase the resilience of accounts dramatically. The more doors there are to pass through, the harder it is for the bad guys to break into the main vault.

3. Defense-in-depth is a must. Beyond the encryption and complex authentication methods is the need to adopt multiple layers of security throughout the enterprise network. This might seem like an obvious statement. But despite all the talk over the years, the frequency of data breaches continues to increase. Companies must make vigorous use of pen testing to find and fix weaknesses, continuously educate employees and users on security best practices, and have a response plan in place in case of a breach. Which takes us to lesson four:

4. Always assume you will be breached. No matter how ironclad a company’s security is, there’s always a chance attackers will break through. The Yahoo breach happened in 2014 and security experts have questioned why it took so long for the company to go public with the news. Enterprises must keep a specific action plan on the shelf that clearly states how communications will be handled and who will do what during the investigation and remediation phase.