Author: Davey Winder / Source: Raconteur
Yahoo! was once best known for being the search engine that lost out to Google in the nineties, but went on to become an internet giant acquiring blogging platform Tumblr in 2013 for $1 billion in cash. Today it’s better known for falling victim to the biggest cyber-security breach in history, also occurring in 2013 and involving a billion user accounts.
In addition, it fell victim to attackers in 2014 with a breach that impacted more than 500 million user accounts, the second largest in internet history. It hardly seems fair to mention the most recent disclosure from Yahoo! that revealed hackers accessed a further 32 million accounts using a forged cookie attack, stretching back two years.
This followed a statement in December 2016 confirming data associated with more than one billion accounts, dating back to August 2013, had been stolen. To compound how bad things have been for the company, just three months earlier it had disclosed an attack involving 500 million compromised accounts from 2014.
That Yahoo! is facing several lawsuits in the United States and abroad, as well as investigation by members of the US Congress, could explain why requests for comments go unanswered by its press office.
In fairness if, as Yahoo! chief information security officer (CISO) Bob Lord claims, state-sponsored actors were behind both the 32 and 500-million account breaches, it’s hard to be too critical. Four people have now been indicted by a US grand jury over the latter attack, two of them officers in the Russian Federal Security Service (FSB) so it looks like Mr Lord was right. And if a state-sponsored attacker wants your data, they are likely to get your data.
But that doesn’t mean you should make it easy for them. Among the account data stolen were hashed passwords, yet Yahoo! could have made things harder for the attackers by not using an outdated algorithm called MD5. Hashing is a one-way function, a mathematical operation that is easy to perform but hard to reverse, used to enable verification of passwords without having to…
Click here to read more
