Analysis of the Yahoo! Data Breaches

3637 words (15 pages) Essay

23rd Sep 2019 Computer Science Reference this

Tags:

Disclaimer: This work has been submitted by a university student. This is not an example of the work produced by our Essay Writing Service. You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UKEssays.com.

Yahoo! A web service provider reported two major data breaches affecting over 1.5 billion accounts by the end of 2016. On further investigation, Yahoo confirmed that all 3 billion accounts were affected in this cybersecurity incident. This is known to be the biggest data breaches in the world of web service providers.

Yahoo’s CEO Marissa Mayer’s efforts to take Yahoo to its prior popularity did not succeed. In 2016, Verizon confirmed on acquiring Yahoo for $4.83 billion but could not close the deal due to Yahoo disclosing the breaches. Yahoo’s world was turned upside down when it discovered it had encountered data breaches in the year 2014. The cyber-attack targeted 500 million accounts and obtained account names, email addresses, telephone numbers, date of births, hashed passwords, and some encrypted and unencrypted security questions. They reported this breach to the public in 2016 and believed this to be the work of state-sponsored hackers. In a twist of events, Yahoo filed an SEC report early in September to inform that they were not aware of the data breach. But when another report was filed in November after disclosing the data breach to the public, Yahoo accepted the fact of knowing the intrusion into their system. Also, this filing noted that Yahoo believed the entire intrusion was cookie based.

When Yahoo and its investigators were figuring out the cause and impact of the 2014 cyber attack, they found another massive attack that took place before the year 2014. This attack took place in the year 2013 and was claimed to be the act of the unauthorized third party. The scale of impact was huge, this time the hackers obtained data from 1 billion accounts including backup email addresses. While the investigators were tracking evidence of this breach, they were led to a dark web seller who was selling the data for $300,000 in August 2015.

How it happened

2013 Breach

It is currently still unclear how hackers were able to steal all 3 billion Yahoo account information in 2013, but in 2016, an Eastern European hacking collective offered up the account information for sale. Since the data has been up for sale, three entities have purchased the data; two of the known entities are “spammers” and the other appears to be interested in espionage purposes. With assistance from law enforcement and an outside security firm, Yahoo was able to trace the sale of 1 billion accounts for a quarter million dollars. Due to the nature of the breach, authorities believe that the 2013 hack was a state-sponsored incident. 

2014 Breach

Soon after Yahoo assumed 1 billion of their accounts were compromised, another breach occurred that affected about 500 million accounts. The hacker, Aleksey Belan (a Latvian hacker hired by Russian agents), was able to gain access to Yahoo’s User Database and account management tool through a spear-phishing campaign that specifically targeted Yahoo employees. Once inside the user database, Belan installed a backdoor on a Yahoo server where he later stole a backup copy of the user database onto his personal computer.

Once hackers identified accounts of interest, the hackers used stolen cryptographic values, “nonces”, to generate access cookies through a script that was installed on a Yahoo server. On March of 2017, the Department of Justice indicted four individuals for the hack. Two of the individuals indicted were Russian intelligence officers. Authorities said the stolen information was used to spy on a range of targets in the US.    

These massive security breaches had a huge impact on Yahoo, financially, business-wise, public reputation and had many regulatory violations.

Business Impact:

Yahoo’s breach exposed different types of risk arising from the attack, not only to the users and company but also to the entire IT world. Due to negligence, Yahoo has essentially placed millions of users at risk of personal information theft as a result of the hack.  Yahoo took two years to disclose the breach in the security to the investors, SEC and the public. CEO Mayer was against the decision of asking all the affected users to change their passwords as she thought Yahoo would lose its customers. Yahoo’s customers and users lost faith in the company as a result of this event.

It is also claimed that Yahoo also misleads Verizon with false information and ended up signing a stock agreement containing no information about the major breach. It gave another reason for customers to reconsider yahoo to do business with. The lack of cybersecurity liability insurance caused it to be the one organization which could not be trusted with privacy and safe protection of sensitive data.

Financial Implications:

During negotiations with Verizon, the two security incidents allowed Verizon to negotiate $350 million less for their acquisition of Yahoo in 2017 and triggered several investigations and lawsuits which undermined the reputation of Yahoo.

The massive data breach at Yahoo that compromised 3 billion accounts resulted in a huge monetary amount. They were charged with $35 million by the Securities and Exchange Commission as a penalty for falsely presenting the facts and failing to notify the customers’ about the breach.

Yahoo was asked to pay $85 million as part of settlement charges for the damages induced and provide free credit monitoring services for over 200 million impacted customers. Also on learning about the breach disclosure, Verizon termed it as “material adverse event”, which cost Yahoo $350 million reductions in the acquisition cost.

Apart from charges, Yahoo had to pay $35 million as attorneys’ fees and another $16 million towards their cyber incidents, from which $5 million was solely dedicated to the forensic investigation and remediation activities. They disclosed paying $11 million towards legal costs, their investigations from five state and federal agencies and class 44 action lawsuits.

Public Reputation:

With all the incidents surrounding Yahoo, its value was questioned and cast a cloud on the acquisition. The ramifications of data breach cost Yahoo its customers’ trust and confidence in them.

Regulatory Violations:

The SEC’s administrative order alleges that Yahoo violated Sections 17(a)(2) & (3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934. The SEC was disappointed that the breach wasn’t reported on time and the investors were kept in dark for around two years. The CISO of Yahoo had the reports by December 2014 that hundreds of millions of Yahoo users’ personal data had been stolen and they were also aware that the same team of hackers was continuously targeting their database in 2015 and 2016 as well.

Yahoo failed to appreciate and mitigate the cybersecurity risks and had it been able to do so it could have prevented this massive data breach.

Recommendations:

 

A data breach on a massive scale is a major concern for an organization and has an impact on its business as well as consumers. To improve the situation and prevent the organizations from being hacked, the following recommendations could be put to use:

Preventive:

  1. Increase restrictions on data being accessed by the employees by allowing them to access the data only they were authorized. The hacker in the 2014 breach was able to access Yahoo’s user database through a phishing campaign. If certain employees are given different access authorizations, one compromised employee account will have less damage depending on their level of access to the company’s sensitive information. In the case of Yahoo, access to the customer database should only be given to a small number of high-level employees that have a need for the information.
  2. Ensure that the employees and users follow a standard password policy. Recommend them to change their passwords frequently to keep the network and sensitive data secure and help prevent the hackers that have accessed system before from returning with the same credentials. The bcrypt password technology used by Yahoo can help to prevent the brute force attacks, however, cannot stop the front door attacks. We recommend training the employee’s danger of phishing emails and different ways hacks could occur or data breach can happen.
  3. Deploying the firewalls and security software, such as anti-spyware and antivirus programs, can prevent and remove the malicious code from the software. By recommending users and employees to update their systems and programs regularly to protect themselves from known bugs and vulnerabilities. Especially for employees at Yahoo because their work computer’s vulnerabilities could compromise a whole network.
  4. Monitor the suspected activities or cookies: The executive branch should work along with the private sector in lowering or forbidding the usage of cookies, as the hackers used the ‘forged cookies’- bits of code on the user’s browser cache that don’t require a user login all the times. Use the resources to detect the login activity through the cookies and restrict the access for this kind of users in the future.
  1. By providing required financial resources to the security department. In the case of Yahoo, Ms. Mayer CEO of Yahoo denied necessary finance to improve security infrastructure and put off proactive security defenses including intrusion detection mechanism for Yahoo production systems.
  2. Outsourcing IT security to professional security firms. Improve the security systems by involving professional security service companies and follow best practices. The department of IT security that building in the corporate hierarchy always has over-optimistic or overestimate on their own system. The advice from credential IT security firm would enforce the protection of any important data of corporation.

Detective Measures:

  1. Review of Intrusion Detection System: Hiring an outside team or a security company to monitor the devices for malicious activity. Review any policy violation and other prohibited usage can help to prevent and diagnose the risks and threats well in advance for the future. This can prevent intruders from gaining information through viruses or malware attacks.
  1. Technologies for detecting security breach:

CAPTCHA: “Completely Automated Public Turing test to tell Computers and Humans Apart” is a system that ensures that human is requesting the action. Most of the time, the CAPTCHA will pop up when you try to log into your account. The common type of CAPTCHA are words, questions, and graphics recognition.

reCAPTCHA: Also called reversed CAPTCHA, is used to not only keep spam away but also to digitize books and publications. Instead, the CAPTCHA uses random words to verify, reCAPCHA uses words having been digitized to identify human activities.

Using these extra steps will help prevent robots and machines from gaining access to secure information as it is an extra step that cannot be completed by machines.

Response Measures:

  1. Update user and employee credentials: It is highly recommended that all the users change their passwords after breaches are detected. As the hackers have the credentials with them, changing the details can ensure the suspension of breach going on and limit the reach of hacker’s arms. Make sure to strengthen your security by taking necessary precautions like turning on two-factor or multi-factor authentication.
  1. The breach response team within the company has to identify the extent of the breach taken place by running resources like Business Impact Analysis (BIA) and Disaster Recovery (DR). This will help us to identify the sensitive data and take necessary steps to protect the data. This team should also search for companies exposed data and make sure that no other company has a copy of this data.
  1. Consult the forensics team and law enforcement about a reasonable time to resume operations. The forensics team will continue to closely monitor the activities of the users and employees as it helps in assisting where the breach occurred and to possibly catch future intrusions if activities are logged and monitored.

Yahoo’s data breach was one to remember and act upon but in reality, there are other large and small organizations always at risk of being attacked. With the prevalent risks evolving, the traditional approach of focusing on critical components and protecting against bigger risks will not be helpful. In the current environment, one needs to be proactive and adaptive in approaching and mitigating different threats. Few ways to do so which would help any large/small organization are:

Cybersecurity specialist could help understand the risks and its impacts:

 

Each employee at an organization must understand how crucial the data is and must strive to protect it from possible cyber attacks. It can be possible if each one is educated of the previous attacks by a person who understands and helps reduce the risks. Understanding the reality is of utmost importance and making sure the preventive measures are updated and in place will protect from such attacks in the future.

Cyber liability insurance:

 

Data breaches involve monetary damages which will eventually add up. From Yahoo’s case, it is evident that they incurred huge losses and had to shell out large amounts. Cyber liability insurance can help organizations’ survive the aftermath of a cyber attack by providing recovery costs, credit monitoring and so on.

 

What can consumers do to expect more from the businesses we use?

 

Consumers of any business rely on it on the basis of trust and confidence. Trust aligns with the three goals of Information security. First, maintaining confidentiality, that is, protecting customers data from being viewed by anyone else. Second, maintaining integrity, that is, keeping the customer information reliable when they access it next and not getting it corrupt when decisions are made based on it or when customers access it. And third, availability, which means the service sold to a customer is available whenever they need it. Businesses provide promises on securing the information and to make this work customer also need to do a little on their part to achieve better results from the businesses they invest in.

As businesses provide the three goals of information security, customers could make use of the facility provided to them by securing their information. Customers can set up strong passwords and prevent access to the data. They can have up to date security patches to limit threats from malware and viruses, and limit the amount of personal information you post online. Customers have to stay vigilant with their accounts to keep a watch on suspicious activities and inform the business if they undergo any unlikely event. By following these steps, customers could reap better benefits from the businesses they trust in with their data.

How might an industry improve itself?

Industries can protect itself from potential data threats by creating and following a cybersecurity plan. Some common cybersecurity ways can be understood and put to use:

Having preemptive measures in place. Also making sure all the required patches are done in a timely manner.

Phasing out the obsolete applications that are no longer in use which could be vulnerable to hacks.

Updating the cybersecurity applications on a timely basis and testing it to make sure it works.

The most common and effective way is to educate employees to use complex passwords, avoid opening attachments from a phishing email and safely dispose of crucial information.

factor authentication in the applications that are used.

Industries can create a bring your own device policy which would outline what business information can be transmitted and stored on these devices.

Industries can implement web filtering technology which provides real-time monitoring of URL and block undesired access.

Industries should have a strong business continuity plan which can help during the period of disruption. A disruption could impact the business and revenue, having a backup of data will minimize the risk

References:

  1. Britannica, The Editors of Encyclopaedia. “Yahoo!” Encyclopedia Britannica, Encyclopedia Britannica, Inc., 8 Feb. 2018, www.britannica.com/topic/Yahoo-Inc.
  2. Al-Heeti, Abrar. “Yahoo Must Pay $50M in Damages for Security Breach.” CNET, CNET, 23 Oct. 2018, www.cnet.com/news/yahoo-must-pay-50m-in-damages-for-security-breach/.
  3. “The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far).” The National Law Review, National Law Review, www.natlawreview.com/article/hacked-hacker-hire-lessons-yahoo-data-breaches-so-far.
  4. Asher-Dotan, Lital. “Yahoo’s Potential Financial Fallout Shows the Unexpected Impacts of a Data Breach.” Cybereason, www.cybereason.com/blog/yahoos-potential-financial-fallout-shows-the-unexpected-impacts-of-a-data-breach.
  5. “Consequences of Yahoo Data Breaches Continue.” Audit Analytics, www.auditanalytics.com/blog/consequences-of-yahoo-data-breaches-continue/.
  6. Insureon. “How to Prevent a Data Breach at Your Business.” Insureon, Insureon, www.insureon.com/blog/post/2018/10/15/how-to-prevent-a-data-breach-at-your-business.aspx.
  7. Williams, Martyn. “Inside the Russian Hack of Yahoo: How They Did It.” CSO Online, CSO, 4 Oct. 2017, www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html.
  8. Evans, Nicholas D., et al. “5 Cybersecurity Tips for Consumers: Lessons Learned in the Enterprise.” CIO, CIO, 24 Sept. 2014, www.cio.com/article/2687244/security0/5-tips-for-consumers-to-treat-your-cybersecurity-like-a-business.html.
  9. “Meeting Your Customers’ Cybersecurity Expectations.” Cyber Risk Opportunities, 26 Nov. 2017, www.cyberriskopportunities.com/meeting-your-customers-cybersecurity-expectations/.
  10. Hatmaker, T. (2017). Four years later, Yahoo still doesn’t know how 3 billion accounts were hacked. [online] TechCrunch. Available at: https://techcrunch.com/2017/11/08/yahoo-senate-commerce-hearing-russia-3-billion-hack/
  11. Garum, Natt. Yahoo Says All 3 Billion User Accounts Were Impacted by 2013 Security Breach. The Verge, 3 Oct. 2017, 5:07 pm EDT, www.theverge.com/2017/10/3/16414306/yahoo-security-data-breach-3-billion-verizon 
  12. “How The Yahoo Hack Could have been prevented” Oren J. Falkowitz On 12/16/16 at   8:20 AM https://www.newsweek.com/how-yahoo-hack-could-have-been-prevented-532499
  13. https://gizmodo.com/how-yahoo-totally-blew-it-on-security-1787177844
  14. https://searchsecurity.techtarget.com/definition/CAPTCHA)

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this essay and no longer wish to have your work published on the UKDiss.com website then please:

Related Lectures

Study for free with our range of university lectures!