SecurityArchitecture.comAfter Yahoo! breach, can users do anything to protect their online data?
After news broke last week that online services giant Yahoo! had suffered a data breach resulting in the compromise of account information on 500 million users, customers were left wondering how the breach would affect them while news organizations and industry observers heaped criticism on the company. Yahoo! public disclosure of the attack against its user database, which reportedly occurred at least two years ago, comes in the midst of the company’s efforts to see itself to Verizon, which said it learned of the breach at about the same time the public did. Subsequent news reports have charged that Yahoo! business executives, including CEO Marissa Mayer and Senior VP Jeff Bonforte (who has responsibility for Yahoo! email services), made public pronouncements and took actions that seemed to indicate that cybersecurity was a high priority, but in reality chose to de-emphasize security in favor of strategies to retain current users. This approach stands in strong contrast to other major online services providers such as Google that have suffered attacks (and compromises) in years past and responded by aggressively invested in rolling out stronger security controls, including protection for email messages and user account data.
The group that seems most overlooked in the aftermath of the breach is Yahoo! customers. As the New York Times and other media sources has reported, executives including Mayer chose not to implement even widely-accepted practices such as automatically resetting user account passwords when a breach occurs. This is of course problematic when account credentials for email services are compromised, because end users may not be able to receive communications from the breached company if their password is changed and such changes would normally be communicated to them via email. Yahoo! apparently also chose not to pursue end-to-end encryption for its messaging services, because doing so would eliminate the company’s ability to scan message content for use in pitching services to customers. This leaves users more or less on their own to take corrective action, where the guidance remains pretty much the same whether we’re talking about Yahoo! or any of the many other online companies that have suffered data breaches that compromised usernames, passwords, security questions, or other personal or credentialing information. Users sticking with Yahoo! should at the very least change their account password and the passwords of any other online accounts that are setup with the same username and password. Many articles recommend keeping an eye on your accounts to try to identify any unexpected activity, but for Yahoo! customers it seems more likely that the data disclosed about Yahoo! users would potentially be put to use in account penetration attempts against other online providers (particularly those where the account username is a Yahoo! email address). Lastly, while it is not always an easy or consistent option, one of the best ways to limit the value of breached account credentials is to add two-factor authentication, although even with this addition level of protection accounts that use the same login credentials may continue to be at risk.
