Yahoo Breach Is Worse Than We Were Told

Three billion (3,000,000,000) is the current tally of breached user IDs, passwords, and customer account information at Yahoo.  This is most assuredly all of the user account information they were holding about their customers. If you were or are a Yahoo account holder, just assume your information is among the lost.

Earlier we reported that this breach may have been less significant because Yahoo was using an encryption method called “bcrypt.”  Bcrypt is more secure because it uses multiple rounds of encryption, coupled with the insertion of random data know as a “salt.”  It turns out that Yahoo was evidently on a low salt diet, bcause salting was not part of the package.  The number of rounds were too few to be effective.  An Yahoo had only converted some of the password database from the old and ineffective MD5 hashes it had been using for years.

The Yahoo episode, and the recent Equifax breach and so many others are disheartening because even though methods exist to keep customer information safe, nothing was implemented because it was too “hard,” too expensive, or required more resources to implement and people with special skills to operate them.

Companies that hold customer data need to be encrypting this data when stored on a hard drive  and in transit across the Internet, and use encryption techniques that are strong enough to survive brute-force decryption by software and machines.

I am not a fan of governmental regulation.  It is usually too little and too late, too hard to change or improve, and subject to politics, compromise, and campaign contributions.  But if companies can’t independently come to the decision to do what is best and right by their customers, then I imagine the government will step in and impose their idea of a “solution.”  It is my hope that the marketplace will reward companies that improve their security, and penalize those that don’t, eventually forcing everyone to upgrade in order to compete.   Having just written those words, even I am laughing, but it is not funny.  This is something that is possible to do, and needs to be done now if we are ever to end the chaos of a never-ending cycle of breaches and information exposure.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.