Yahoo Breach Is Worse Than We Were Told

Three billion (3,000,000,000) is the current tally of breached user IDs, passwords, and customer account information at Yahoo.  This is most assuredly all of the user account information they were holding about their customers. If you were or are a Yahoo account holder, just assume your information is among the lost.

Earlier we reported that this breach may have been less significant because Yahoo was using an encryption method called “bcrypt.”  Bcrypt is more secure because it uses multiple rounds of encryption, coupled with the insertion of random data know as a “salt.”  It turns out that Yahoo was evidently on a low salt diet, bcause salting was not part of the package.  The number of rounds were too few to be effective.  An Yahoo had only converted some of the password database from the old and ineffective MD5 hashes it had been using for years.

The Yahoo episode, and the recent Equifax breach and so many others are disheartening because even though methods exist to keep customer information safe, nothing was implemented because it was too “hard,” too expensive, or required more resources to implement and people with special skills to operate them.

Companies that hold customer data need to be encrypting this data when stored on a hard drive  and in transit across the Internet, and use encryption techniques that are strong enough to survive brute-force decryption by software and machines.

I am not a fan of governmental regulation.  It is usually too little and too late, too hard to change or improve, and subject to politics, compromise, and campaign contributions.  But if companies can’t independently come to the decision to do what is best and right by their customers, then I imagine the government will step in and impose their idea of a “solution.”  It is my hope that the marketplace will reward companies that improve their security, and penalize those that don’t, eventually forcing everyone to upgrade in order to compete.   Having just written those words, even I am laughing, but it is not funny.  This is something that is possible to do, and needs to be done now if we are ever to end the chaos of a never-ending cycle of breaches and information exposure.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment