Kurt Scholtens – Technical Architect
Over the past couple of weeks, numerous news stories have emerged on the breach of 500 million Yahoo email accounts. Many believe it’s the largest-ever publicly disclosed data breach.
According to Yahoo’s statement: “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.” Users have been advised to change their passwords right away. If you have had a Yahoo account for a few years and have never changed your password, there is a good chance your account information was compromised in the early 2014 breach.
To encrypt a vast majority of email passwords, Yahoo uses bcrypt, a strong password hashing algorithm. However, for a small percentage of them, the company used md5, another hashing function, but with known vulnerabilities. Ashley Madison (the controversial dating site that was hacked last year) also used bcrypt, in combination with the md5 algorithm. Although hackers easily exposed the first 4,000 users with simple dictionary attacks, 11.2 million additional accounts were cracked in about a month due to md5’s sheer speed. Ashley Madison’s mistake of using md5 with bcrypt doesn’t make this an apples and apples comparison, but it makes us wonder how quickly hackers cracked 5 million Yahoo accounts.
Yahoo claims its breach was likely a state-sponsored attack, which means there could have been resources such as super-computers at the hacker’s disposal. Obviously this is only conjecture, but it would make sense given the speed in which it took to compromise the accounts!
While there are many steps we can take to protect our sensitive personal information, the most simple of which is to change our passwords regularly, we expect the service provider to protect our data effectively and responsibly. We don’t even want to think about it. Yet, the Yahoo breach forces us to do just that. Is Yahoo concerned about its reputation and the perception of its ability to protect data? Do we believe that Yahoo did everything it could to protect our information in a responsible manner? What more could the company have done? Can we (and should we) trust Yahoo again or is the brand damage too great? The answers are obvious to me, as my faith in Yahoo has been shaken. I was an avid user of Yahoo Instant Messenger from the early days. Sadly, those days are gone.
There have been more than 6,500 data security breaches in the US since 2005. Yahoo is just another example of a company that broke the trust of millions of customers. Nonetheless, Yahoo’s case provides a lesson that should resonate across all businesses: customer data is one of your most valuable assets, protect their data and you keep their trust.