The cat is finally out of the bag. Yahoo! recently announced that it was hacked, with the personal details of over 500m accounts having been stolen. Of course, users by the dozen flocked to social media to vent their anger – frustrated that it took the company two years to realise there had been a breach.
Amongst the frustrated was Nicola Fulford, head of data protection and privacy at technology and digital media law firm Kemp Little, who was lost for words at how long it took Yahoo! to notice. She said: “Serious questions need to be asked about the effectiveness of the security measures and information governance structures in place.”
Now dubbed one of the biggest cyber breaches in history, experts have warned that the hack could also put those not using Yahoo! at risk. As Joon Ian Wong put it: “Stubborn user behaviour and the economics of darknet markets mean the chances of a serious breach at another major internet service increase dramatically with each hack.
“When a big cache of hacked passwords ends up traded on darknet markets, it often gets added to password databases. These databases can be used maliciously by hackers, who will try to find passwords reused on other services. It’s the equivalent of trying millions of different keys on a particular door, except it’s all automated and can be done in days.”
It’s seen Yahoo! itself urge users to change their passwords and security questions. But that won’t help much, Fulford explained. She suggested the knowledge of security answers could give hackers details of sensitive information about finances, health, family and career. This information could enable someone to build an accurate picture of someone’s life and steal their identity.
“The recent tribunal decision relating to the TalkTalk breach held that customers raising detailed complaints can give sufficient awareness to a company of breach.,” she said. “Under mandatory breach notification rules it does not have additional time to then carry out its own investigations before being obliged to notify the breach. Whilst Yahoo! may not be subject to the same mandatory laws as TalkTalk currently, in light of the Verizon deal, it may still regret not being more open with its customers (and the ICO) earlier.”
Her words have come true, with a class action lawsuit now being filed against Yahoo!, accusing the company of “gross negligence”. It was suggested by those involved in the case that the two years it took Yahoo! to learn accounts had been compromised was unacceptable.
As the finale of Mr. Robot’s second season approaches, security experts from across the IT industry have picked their top hack from the series, and offered some advice on how to protect against it.