Security Reminder

Yahoo Data Breach

By Anca Gagiuc on Sep 28, 2016 in Technology

The latest Yahoo breach holds the record for the largest single breach of user account. The hack, which occurred in 2014, enabled hackers to collect personal information associated with at least half billion Yahoo accounts—names, email addresses, phone numbers, birth dates, and even security questions and answers, according to Yahoo’s press release. What’s even scarier is that encrypted passwords, which are jumbled so only a person with the right passcode can read them, were also stolen.

As consequence, Yahoo users are encouraged to review their accounts for suspicious activity, change their passwords and security questions, avoid clicking on suspicious links and consider using a new authentication tool called Yahoo Account Key. Of course, there is always the option to switch to Gmail or iCloud.

According to research from Alertsec, about 97 percent of Americans lose trust in companies like Yahoo after massive data breaches, so it will take Yahoo quite some time before it starts rebuilding their users’ trust. However, when a company has allowed their customers’ data to fall into the hands of criminals, regaining trust is difficult, and in some cases, impossible.

This breach serves as a reminder of how widespread hacking is and raises again the question of whether the current system of passwords and security questions provides the best kind of protection, and the answer seems pretty obvious, something needs to change. Cybersecurity specialists recommend using a different password for each account, while other experts are working on alternatives to passwords such as one-time passwords, biometrics and the two-factor authentication process.

“Cybercriminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud,” said Brett McDowell, executive director of the FIDO Alliance, an organization that vets the security of password alternatives. “We need to take that ability away from criminals, and the only way to do that is to stop relying on passwords altogether.”

Most likely unrelated to the Yahoo breach, Lenovo announced a partnership to bring FIDO fingerprint authentication to its laptops. The joint venture consists of Lenovo, Synaptics and PayPal and plans to combine Lenovo’s laptops with Intel’s on-chip hardware security, allowing the customer to use Synaptics’ biometric sensors to replace passwords for logging into FIDO-compliant services (such as PayPal). This is secured by FIDO’s security spec, which already shows widespread support across the industry.

The FIDO Alliance was founded in 2013 by Lenovo and PayPal, backed by major companies such as Google, Bank of America and Microsoft, having as goal the development of new methods of authentication that are simpler and more secure than passwords. It’s good to know that, back in 2015, Microsoft announced that it would be integrating FIDO support into Windows 10.

So far, no timeline was given as to when the first batch of FIDO-enabled laptops would be released, but many point to CES 2017 that’s just around the corner. In the meantime, stay safe!