Category Archives: Password

Yahoo says all three billion accounts hacked in 2013 data theft

(Reuters) – Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc (VZ.N).

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients’ claims.

“I think we have those facts now,” he said. “It’s really mind-numbing when you think about it.”

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said “recently obtained new intelligence” showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

“This is a bombshell,” said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo’s former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo’s users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc (EFX.N) and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo’s core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers’ tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to.”

Source: https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1

Tip #6 Set Strong Passwords

PasswordChalkBoard

Setting a strong password is the first line of defense when trying to protect your personal data and devices. Strong passwords are typically long, unique, hard to guess, and incorporate numbers, random words, and special characters. Using common words or easily guessable information about yourself and your lifestyle is not recommended.

Consider changing passwords regularly and using different passwords for different accounts. This will prevent attackers from having access to all of your accounts immediately after compromising one password.

Some common password tips include:

  1. Use a unique password for each of your important accounts.
  2. Use a mix of letters, numbers, and symbols in your password.
  3. Don’t use personal information or common words as a password.
  4. Make sure your backup password options are up-to-date and secure.
  5. Keep your passwords secure.

 

Article: Smoking vs. Weak Passwords

“A study revealed that government spent $48 million on anti-smoking campaigns. Every year same or higher amount of money is spent on such campaigns. Government still allows its sales though smoking is injurious to health

Why talk about advertisements and sale of cigarettes and what does it have to do with weak passwords?

Like smoking, weak passwords have consequences. CISO’s and security professionals spend thousands if not millions of dollars on awareness but still allows weak passwords.

Security professionals those protecting Organizations, leave many applications allowing users to enter weak passwords. Problems of weak passwords are higher where Organizations allows Shadow IT applications. Many e-commerce websites accept weak passwords in favor of better user experience.

A strong password is a default necessity to increase our chances to stay protected. Yet, in a recent study, “123456” and “password” remains most popular password in the year 2014 and 2015.  Not only CISO’s but end users too needs to understand the dangers of weak passwords. But, sometimes “Ignorance is bliss” costs.

Password strength vs. User experience is going to be a never ending debate. But as security professionals, we need to analyze risks and favor strong Passwords.

Government have powers to ban cigarettes so do CISO’s and security professionals. Security managers too have powers to enforce strong passwords or make two-factor authentication mandatory.

It is clear that just awareness is not enough to reduce exposure on weak passwords. Perhaps, awareness must include real-life cases of breaches due to weak passwords. Just like cancer patients are cast for anti-smoking advertisements!”

Source: https://www.linkedin.com/pulse/smoking-vs-weak-passwords-vishant-pai

Article – Your Secret Questions Are Just as Terrible As Your Passwords

A recent article from PC Magazine highlights research from Google surrounding the limited effectiveness of secret questions for account recovery:

“Not being able to remember your secret question responses is
annoying, but Google said the bigger concern is hackers who try to
hijack accounts using “mass guessing attacks.” With weak answers, it’s
not that difficult: a 2009 report from the Institute of Electrical and
Electronics Engineers said that researchers guessed about 10 percent of
people’s answers by using common responses.

In an era of openness, meanwhile, where your every move is chronicled
online, it’s not hard to find things like place of birth, mother’s
maiden name, or high school mascot by trolling a Facebook or Twitter
account. This type of scenario is potentially how hackers gained access to
celebrity iCloud accounts last year. “Certain celebrity accounts were
compromised by a very targeted attack on user names, passwords, and
security questions, a practice that has become all too common on the
Internet,” Apple said in a September statement”

Tips for Safe Password Sharing

Source: http://www.pcmag.com/article2/0,2817,2484538,00.asp