Yahoo Breach Is Worse Than We Were Told

Three billion (3,000,000,000) is the current tally of breached user IDs, passwords, and customer account information at Yahoo.  This is most assuredly all of the user account information they were holding about their customers. If you were or are a Yahoo account holder, just assume your information is among the lost.

Earlier we reported that this breach may have been less significant because Yahoo was using an encryption method called “bcrypt.”  Bcrypt is more secure because it uses multiple rounds of encryption, coupled with the insertion of random data know as a “salt.”  It turns out that Yahoo was evidently on a low salt diet, bcause salting was not part of the package.  The number of rounds were too few to be effective.  An Yahoo had only converted some of the password database from the old and ineffective MD5 hashes it had been using for years.

The Yahoo episode, and the recent Equifax breach and so many others are disheartening because even though methods exist to keep customer information safe, nothing was implemented because it was too “hard,” too expensive, or required more resources to implement and people with special skills to operate them.

Companies that hold customer data need to be encrypting this data when stored on a hard drive  and in transit across the Internet, and use encryption techniques that are strong enough to survive brute-force decryption by software and machines.

I am not a fan of governmental regulation.  It is usually too little and too late, too hard to change or improve, and subject to politics, compromise, and campaign contributions.  But if companies can’t independently come to the decision to do what is best and right by their customers, then I imagine the government will step in and impose their idea of a “solution.”  It is my hope that the marketplace will reward companies that improve their security, and penalize those that don’t, eventually forcing everyone to upgrade in order to compete.   Having just written those words, even I am laughing, but it is not funny.  This is something that is possible to do, and needs to be done now if we are ever to end the chaos of a never-ending cycle of breaches and information exposure.

More information:

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.