Three billion (3,000,000,000) is the current tally of breached user IDs, passwords, and customer account information at Yahoo. This is most assuredly all of the user account information they were holding about their customers. If you were or are a Yahoo account holder, just assume your information is among the lost.
Earlier we reported that this breach may have been less significant because Yahoo was using an encryption method called “bcrypt.” Bcrypt is more secure because it uses multiple rounds of encryption, coupled with the insertion of random data know as a “salt.” It turns out that Yahoo was evidently on a low salt diet, bcause salting was not part of the package. The number of rounds were too few to be effective. An Yahoo had only converted some of the password database from the old and ineffective MD5 hashes it had been using for years.
The Yahoo episode, and the recent Equifax breach and so many others are disheartening because even though methods exist to keep customer information safe, nothing was implemented because it was too “hard,” too expensive, or required more resources to implement and people with special skills to operate them.
Companies that hold customer data need to be encrypting this data when stored on a hard drive and in transit across the Internet, and use encryption techniques that are strong enough to survive brute-force decryption by software and machines.
I am not a fan of governmental regulation. It is usually too little and too late, too hard to change or improve, and subject to politics, compromise, and campaign contributions. But if companies can’t independently come to the decision to do what is best and right by their customers, then I imagine the government will step in and impose their idea of a “solution.” It is my hope that the marketplace will reward companies that improve their security, and penalize those that don’t, eventually forcing everyone to upgrade in order to compete. Having just written those words, even I am laughing, but it is not funny. This is something that is possible to do, and needs to be done now if we are ever to end the chaos of a never-ending cycle of breaches and information exposure.