Yahoo didn’t achieve much in the past decade even though it made several efforts. They missed some great deals and went with some strange ones. Its experiments with the products and services didn’t click as well. Finally in July this year, Yahoo was sold to Verizon for $4.8 billion.
Considering that Yahoo rejected offers from Microsoft to buy the company for $53 billion and $45 billion at different times, this deal might not sound amusing. But when one realizes that Yahoo was not left with much life on its own, Verizon seemed a deal worth settling for.
Things started to look slightly brighter, but that didn’t last for long. Yahoo confirmed a data breach that hit 500 million users, which makes it the biggest breach in the Internet history.
Image Credit: Esther via Flickr
Data breach with Yahoo occurred in 2014 and the company publicly accepted it on 22 September 2016. Even its recent buyer, Verizon has claimed that they got to know about the attack only a couple of days ago. Yahoo claims that passwords and payment details have not been breached, but the attacker has gained access to the names, email addresses, phone numbers, date of birth and encrypted passwords of the users.
Learning from Yahoo Attack
Those living in the digital world know that these details can cause some serious damage and there are some lessons that we can learn from the attack. Here are some important points that Digital CPAs and accounting professionals can learn from Yahoo attack:
1. Importance of Password Encryption
The data breach lost ‘encrypted passwords’ to the attacker but NOT ‘actual passwords’. Encryption modifies the password into a form that is legible for the machines only. It means that unless, the attacker is able to crack the encryption technique followed by Yahoo, accessing the user accounts will not be a possibility. So, the information residing in the accounts of the users can be considered safe.
Thanks to encryption, if the users change their passwords, the encrypted passwords that attacker has, will remain of no use. Going by the same reason, Yahoo has advised the users to change their passwords. Even though attacker has plenty of user data, encryption is able to save a lot in this case.
Accounting professionals have passwords for a number of applications, such as – email, accounting applications, tax software, cloud storage, social media, and several other accounting services accounts. Yahoo attack goes on to give a reminder that while choosing the cloud and internet-based services, always go with the service that practices password encryption.
2. Need of Changing Passwords Time and Again
A report – Where’s Your Data?, by Bitglass states that it takes 205 days on an average for a data breach to be recognized. The report mentions that the bait data used for the study had been clicked 1081 times in 22 countries within 12 days of its exposure. Can you imagine its reach in 205 days?
Coming back to Yahoo attack, the company accepted the breach publicly 2 years after the attack. What took them 2 years? It must have taken them some time to realize occurrence of the attack. Then, measuring the amount of data loss and analyzing if they can keep the breach a secret and the user protected forever would have added to this delay. During this period, the attacker must have tried decrypting passwords.
If the user is changing their passwords time to time, even the decryption does not make a way into their account. As users do not know about the breach immediately, CPAs and other accounting professionals must change their passwords at regular time intervals. Setting a reminder about is a smart step to start with.
During this period, the attacker must have tried decrypting passwords. If the user is changing their passwords time to time, even the decryption does not make a way into their account. As users do not know about the breach immediately, CPAs and other accounting professionals must change their passwords at regular time intervals. Setting a reminder about is a smart step to start with.
3. Maintaining Security at the User End
Using passwords that contain user details, like – name, phone numbers, date of birth, etc., could have easily made it easier for the attacker to sneak into the account because they were able to nab such detail by attacking Yahoo. Service providers make efforts at their end, but relying entirely on them and letting your ends ajar can prove to be a grave mistake.
Digital security experts recommend going with the security practices, such as – Multi-factor authentication, automated data backups, different passwords for different applications, random passwords, etc. Users relying on these security methods could have avoided their intrusion and mitigated the losses even if the attacker had gained the passwords.
As the accounting data demands great confidentiality, accounting professionals must take the responsibility to keep their operations secure and protected.
Comments (1)
Seems like situation is never going to improve for Yahoo. Verizon is fine with even after breach?
Yahoo attack is again a reminder that digital data is never secure. Be it on cloud or local infrastructure. It is either vulnerable to one form of loss or another.
Watermarking the data is a possible solution. Sure that will not protect against data theft, but you would be sure that if the stolen data is misused in future, you can always catch the thief.
Yahoo did worst by hiding it for that long. Possibly there were just waiting for the Verizon deal before the accepting the breach.
It’s not that security features of various service providers are vulnerable. Most of the intrusions are initiated by the mistakes from the user’s end.
It takes time for the company to realize breach and verifying the level of breach, but 2 years is not acceptable for a brand of such standards.