Bolt, horse, stable: Yahoo hacked again but Verizon even more hacked-off
via flickr © darkday (CC BY 2.0)
- A billion accounts stolen. The biggest data breach in history!
- Happened in August 2013.
- Discovered by law enforcement agency - not Yahoo itself
- All the fault of "forged cookies" - apparently
Yahoo has just revealed that a hacking attack in August 2013 resulted in data pertaining to over ONE BILLION of its subscribers being stolen. It is the biggest security breach in history and comes on top of Yahoo's earlier admission, in September, that 500 million user accounts had been hacked. If Yahoo covered-up the attack until now it will be a monumental scandal and heads should roll. If it is a newly-discovered breach then it is prima facie evidence that Yahoo leaks like a sieve and heads should roll.
Whoever broke through Yahoo's obviously poor security systems (and the company is claiming that it is a 'state-sponsored' attack" - by which we are meant to infer what? That it that it was Russia, North Korea, Iran or perhaps a rogue from Rhode Island?). The hackers stole Yahoo subscriber names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions. All data that could be used to reset a password.
In a statement Yahoo says it is making all affected users change their passwords while Yahoo itself is "invalidating unencrypted security questions". It took an attack double the size of the September breach to force Yahoo into action. After the first admitted attack it simply refused to compel users to change their passwords or security questions. Too much like hard work presumably.
This isn't a matter of locking the stable door after the horse has bolted. It is one of knowingly leaving it open for three years during which time the horse has had a couple of gap years, backpacked around the world and carried the likes of Julan Assange and Edward Snowden off to their various exiles and hidey-holes. Then it went to live a life of luxury with Kim Jong Un where it is now blowing fragrant equine raspberries at Yahoo HQ. It is an utter disgrace.
Yahoo claims it found out about the 'new' attack after "analyzing data files provided by law enforcement". In other words the company didn't even manage to discover the breach form itself, it had to be told about it by outside agencies. It is pathetic.
Under the dreadful CEO-ship of Marissa Mayer, Google's star hasn't so much fallen as plunged to earth in a self-induced kami-kaze death dive. Security systems had been allowed to rot on the vine after Mayer and some of her executive team fought with the security department over the expense and 'inconvenience' of deploying upgraded security measures that would have brought the company up to par with the likes of Facebook and Google.
Once more Yahoo takes the biscuit
Yahoo’s chief information security officer, Bob Lord, has issued a statement to the effect that a "state-sponsored actor" has stolen Yahoo’s proprietary source code and adapted it to gain access to the accounts of individual Yahoo subscribers via "forged cookies" - the few lines of code that remain in a user's browser cache so that a website doesn't need a login every time the user pays it a visit. The lesson here is bloody evident. Delete your cache every time you log off and do it as a matter of routine. It is much wiser to take the time to logon afresh on each visit than it is to leave access open to hacker.
US journalist Brian Krebs, former computer security columnist with the Washington Post and a man renowned for his deep knowledge of security systems and how to break them commented, "For years I have been urging friends and family to migrate off Yahoo email, mainly because I watched as the company appeared to fall far behind its peers in blocking spam and other email-based attacks. I stand by that recommendation".
In 2008, Microsoft was prepared to buy Yahoo for US$44 billion. In July Yahoo sold its core businesses to Verizon for $4.8 billion - about a tenth of what was on offer eight years ago. In October, Verizon said was considering a renegotiation downwards of that price on the grounds that Yahoo had not disclosed the details of the first data breach during due diligence. And who could blame Verizon for that? Who knows how many other nasty surprises are lying there waiting to be discovered?
What Verizon will do now is anyone's guess. It could simply walk away from the deal or demand that the originally agreed purchase price should be lowered very substantially. It s certainly isn't a done deal yet.
It is as plain as a pikestaff what is wrong with Yahoo. It is well-said that a fish rots from the head down. That is exactly what is happening at Yahoo. In addition to the woeful ineptitude of Ms. Mayer, Yahoo has a supine 10-member Board of Directors, one of whom is David Filo, who co-founded Yahoo in the first place. Seven other directors have other jobs - as directors of other companies. Two financial officers (including the Chairman) are from companies external to Yahoo and there is no-one with high-level technology experience on the Board.
Dismiss the CEO, cull the Board, and take an axe to the senior executives. It's the only way. Perhaps Donald Trump could do an 'Apprentice Special' before he takes up Presidential office and fire Marissa Mayer on live TV. It would make great entertainment but would still be still too little too late.