CBR rounds up the reaction:
Yahoo statement
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11.
Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologise to affected users. We encourage users to change their passwords on a regular basis and also familiarise themselves with our online safety tips at security.yahoo.com.
Anna Brading, security consultant at Sophos
First and foremost, if you use Yahoo Voices, change your password now. Unfortunately, the list of compromised websites just seems to keep growing, in little over a month we’ve seen breaches from Formspring, Last.fm, LinkedIn and eHarmony, proving just how important it is to make sure your passwords are unique and hard to guess for every website you use.
Companies who run websites should consider how they are storing users’ information, and if visitors’ credentials are being protected. It is unclear what measures the website was taking to ensure that the passwords would stay safe which is little consolation for the half a million users who have had their information compromised.
There are certainly questions which need to be answered – such as how were the hackers able to gain access to the information, and what measures was the site taking to ensure that even if its databases were breached, the passwords would not be easy to convert into plain text.
David Emm, senior security researcher at Kaspersky Lab
The number of targeted attacks continues to grow and hacks of this sort are no longer unusual. But the fact that the site’s database contained unencrypted passwords is a real cause for dismay.
Unfortunately, many people use the same password for multiple online accounts. This brings with it the risk that a compromise of one account puts all their accounts at risk. We would urge everyone to use a unique, complex password for all online accounts, i.e. one that is at least eight characters and mixes letters, numbers and symbols.
Chris Petersen, CTO, LogRhythm
Web applications continue to be seen as a soft target by cyber criminals looking to sell passwords on the black market. Passwords are of value when associated with an email account which is purported to be the case in the Yahoo breach. Because users often use the same password across different accounts, cyber criminals might be able to access other sites, company networks, and banking accounts if they can successfully map the compromised email address to the individual that owns it.
Organisations must start doing a better job of implementing web application defences if they want to avoid being the next Yahoo. Perimeter defences including web application firewalls are a good start but by themselves not sufficient. These technologies operate largely on the premise they can detect what is known. To have a chance detecting what is not known, additional monitoring and response approaches must be employed.
Paul Ayers, VP EMEA of Vormetric
Yet again the world’s media is focused on another house-hold name falling victim to a large scale data breach. Whilst we’re still waiting for the full details of this incident to emerge, the potential implications from this breach could be extensive. Indeed, worried Yahoo users would do well to change their passwords with immediate effect.
The very fact is, this isn’t the first large brand that we’ve seen fall victim to a security breach, and it won’t be the last. And with every incident like this that happens, organisations worldwide are reminded of the changing threat landscape and the need for IT infrastructure to keep pace. As such, an organisation’s starting point shouldn’t be – ‘if’ we get hacked, but ‘when’.
Ultimately, focusing on a defensive perimeter around a network is not going to keep the bad guys out anymore. Servers hold the crown jewels of enterprise information, such as databases, and organisations need to ensure the security and access control of that server data.
Chris Hinkley, CISSP and senior security engineer, FireHost
Yahoo! has fallen victim to a SQL injection attack, which in comparison to most of the tools in a hacker’s box, is a pretty straightforward and common method of attack. Just as surprising is that the company – which claims to have more than 600,000 contributors to its Yahoo Voice service – had not encrypted its user passwords. Though the hackers have described the incident as only a ‘wake-up call’, if organisations do not take more robust precautions, the next attack could be much more damaging.
Rob Rachwald, director of security strategy, Imperva
Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application which is a well known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide.
