The theft, which occurred in August 2013, is distinct from the theft disclosed earlier this fall, in which 500 million accounts were compromised, Yahoo CISO Bob Lord explained.
Stolen information may include names, email addresses, telephone numbers, dates of birth, hashed passwords using MD5 encryption -- and in some cases, encrypted or unencrypted security questions and answers, according to Lord.
An unauthorized third party accessed the code Yahoo uses to create cookies, he noted. Access to that code allowed attackers to compromise accounts with forged cookies.
More Data Nicked
"More information was released than just usernames and passwords," explained Rami Essaid CEO of Distil Networks.
"The bad guys are getting a more holistic look at these users," he told TechNewsWorld.
The weakly encrypted or plaintext security questions in particular could be problematic, because the answers to those questions don't change from site to site.
"You can change your passwords, but you only have one mother's maiden name and one birth date," Essaid noted.
Verizon Deal
As with the previous Yahoo data breach, Verizon's official reaction to the latest theft was brusque.
"As we've said all along, we will evaluate the situation as Yahoo continues its investigation," the company said in a statement provided to the E-Commerce Times by spokesperson Rich Young. "We will review the impact of this new development before reaching any final conclusions. We have no additional comment at this time."
Companies buy other companies for any number of reasons -- their customer lists, their technology or their talent, among other things -- observed RedSeal CEO Ray Rothrock.
"If Verizon was buying Yahoo for its customers, this is a bad deal," he told the E-Commerce Times.
Merger Downside
"It's likely Verizon will avoid merging databases," said Peter Martini, president of Iboss. "That will impact the value of the acquisition, since a good portion of that value was for Yahoo's customer database."
Go to Gmail
Whether the Verizon-Yahoo deal is completed or not, it's likely to influence many future mergers and acquisitions, noted Shuman Ghosemajumder, CTO ofShape Security.
"The deal will serve as the archetype for the need for thorough security-related due diligence by acquirers in the future," he told the E-Commerce Times.
"The worst-case scenario for Verizon would have been to have completed the acquisition at the original price before either of these breaches was discovered or announced," Ghosemajumder said.
"Future acquiring companies will want to do everything in their power to avoid such a situation, and will likely add more detailed security reviews to their due diligence processes."
This latest breach is tantamount to criminal negligence, suggested Stu Sjouwerman, CEO of KnowBe4.
Yahoo users should "vote with their feet" and close their Yahoo accounts, he told the E-Commerce Times. "Yahoo has proven not to be trustworthy, so I'm advising Yahoo account owners to go to Google."
No comments:
Post a Comment