Yahoo!! What A Breach That Was….

Well, it seems that a few days ago that Yahoo! security was breached and the details of 450k passwords and user accounts were copied and published online by a group calling itself D33D. Yahoo! were quick to investigate this alleged breach and have assured customers that everything is now safely sorted out, but is it? ‘Computing’, the online magazine, checked some of the accounts and found they were still vulnerable and have suggested that the breach was worse than Yahoo! are making it out to be. With this being a very popular email and shopping site, Yahoo! should have had much stricter encryption policies in place to prevent this sort of thing happening. D33D have assured users that there was no malice involved and issued the following statement: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in Web servers belonging to Yahoo Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.” This breach prompted Boston-based data security expert, Marcus Carey, to state that “the key thing is from a corporate perspective: perhaps invest more in security. If Yahoo! didn’t encrypt their passwords, they were probably cutting corners on other things.” So what does this mean for the hundreds of thousands of Yahoo! users? There will probably be a rash of strange emails floating around for a few days but their accounts will not be used by D33D for anything other than exposing the failings of Yahoo! However, if anyone has been able to get hold of the account and password details then things may change and we will find a lot of spam coming out and suddenly email accounts becoming unsecure. What can Yahoo! users do about this? Simple, change your passwords immediately to something that is secure. I have espoused on this before but too many people have simple, basic passwords that they use because they are easy to remember and to input. If it is easy for you then it is easy for the hacker as well…. People find creating a password quite a difficult task to do and fall back on their child’s or pet’s name, their date of birth or something even dafter like ‘password’ which is so common as to be unbelievable! Passwords do not have to be scientific equations but they do need to be more than a simple word to stop the easy access to your account. So if you use ‘rover’ as your password, it will be easier to hack into your account than someone who uses ‘S1mPl1cITy’. I am not saying it is not totally secure but it goes a long way towards being there! So what is a password? Passwords need to be long enough to prevent a hacker simply taking chances with random personal identities, it needs to mix UPPER and lower case letters, numbers and characters and, if you have read my previous rant on passwords, should ideally be 15 characters long, as a minimum, to prevent Windows ‘remembering’ it in the operating system. Alternatively you could use a pass-phrase which could be something like ‘I_do_NoT_like_SpiDers_IN_my_hair’ which is easy to remember but really difficult for a hacker to get round. But I detract, the management teams at Yahoo! have got to take responsibility for this breach and hold their hands up to it, not hide away behind corporate statements saying how well they have reacted to the situation (which they have not incidentally!). This breach leaves all other generic email accounts vulnerable and I would suggest that everyone who uses a generic email supplier, go away and change your password now before anything nasty happens…….

About KPG Professional Services

Kevin has been working in the Data Protection field for over 20 years with The Post Office, Royal Mail Marketing, The Royal Bank of Scotland and Glasgow Housing Association Ltd. He is also trained in the Freedom of Information (Scotland) Act 2002 and has supplied expertise and support in this discipline for the past 4 years. In his leisure time Kevin is a presenter on Hospital Radio, an SRU rugby referee and referee coach and also the stadium announcer at McDiarmid Park for his team St Johnstone in the Scottish Premier League.
This entry was posted in Breaches, Data Protection, Email, Information Security, Password. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s