Scam Of The Week: The 1 Billion Yahoo Hack
Stu Sjouwerman
This is getting old. It's all over the press... again. Here is a Reuters article where I am quoted, which covers the most recent billion-record Yahoo hack.
Some people asked me after our Flash announcement last week: "Stu, really, these hacks happened a few years ago, closing down my whole Yahoo account, or blocking Yahoo at the firewall... aren't you going a bit overboard here?"
Good question. Here is my take:
Well, that whole 1B database was sold on the dark web by a group of professional blackhats from Eastern Europe for 300K, (and is still for sale at a much lower price right now) which means that a ton of bad guys now have these credentials, but worse, they have answers to security questions like "your mother's maiden name" which do not change like passwords, and and backup email addresses that could help with resetting forgotten passwords.
Bloomberg reported that 150,000 U.S. government and military employees are among the victims in the latest breach.
My position is that all Yahoo accounts need to be considered compromised. They are sitting ducks for spam, phishing and malware attacks. If employees check their Yahoo account on their lunch break, do you want to expose your company network to that?
It looks like Yahoo has not learned their lessons, so new hacks can happen any time. There has been an exodus of qualified Yahoo staff and they seem to be unable to apply best security practices. They are now forcing all users (link to WSJ article) to change their password, but that's too little, too late. I simply have lost trust.
So, I recommend you warn your users, friends and family... again. We have been here before on September 23rd when the 500 million record hack was first announced.
In September, Yahoo did not force people to change passwords, but now they are forcing a password change, and the bad guys are (again) all over this -- the ones that own the Yahoo database but also the ones that do not, because news like this is a phishing paradise.
This is a phishing paradise with significant fallout
Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used for social engineering attacks. However, since many people use the same username and passwords across multiple sites, the other thing that will continue to happen is called "credential-stuffing", a brute-force attack where attackers inject stolen usernames, passwords and possibly the answers to security questions into a website until they find a match using the stolen Yahoo username and passwords.
The bad guys will continue to exploit this, so remind your users
Remind your users, friends and family. They will be likely be confronted with Yahoo-related scams in their inbox. The bad guys are going to leverage this in a variety of ways, starting with bogus password reset phishing attacks, but also with masked links so that if you click on it you wind up on a compromised site which could steal personal information and/or infect the computer. The variations are infinite, but the defense against it is relatively simple.
I suggest you send them the following reminder - feel free to copy/paste/edit:
"Yahoo announced that 1 billion of their accounts were hacked. These accounts are now sold by internet criminals to other bad guys which are going to use this information in a variety of ways. For instance, they will send phishing emails claiming you need to change your Yahoo account, looking just like the real ones. Here is what I suggest you do right away.
If you do not use your Yahoo account a lot. Close it down because it's a risk. If you use it every day:
Open your browser and go to Yahoo. Do not use a link in any email. Reset your password and make it a strong, complex password or rather a pass-phrase.
If you were using that same password on multiple websites, you need to stop that right now. Using the same password all over the place is an invitation to get hacked. If you did use your Yahoo passwords on other sites, go to those sites and change the password there too. Also change the security questions and make the answer something non-obvious.
At the house, use a free password manager that can generate hard-to-hack passwords, keep and remember them for you.
Watch out for any phishing emails that relate to Yahoo in any way and ask for information.
Now would also be a good time to use Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.
Yahoo Breach Phishing TemplateIf you are a KnowBe4 customer, we have a template in the Current Events Campaign which I suggest you send to all your users immediately as a reminder.
This is the largest hack ever, below is a graph fresh from an article in the Wall Street Journal that puts it in perspective. I suggest you send this to your management.
This is exactly the kind of thing that they want to prevent from happening and security awareness training is the number one thing that makes your organization more hack-resistant since your users are your weakest IT security link.
