1 Billion Yahoo Accounts Breached. Impacts for Australian Businesses

Yahoo have announced yet another massive breach of their systems, this time dating back to 2013 and impacting around 1 Billion user accounts. If you had a Yahoo account in 2013 we recommend you immediately review the security guidance they have published here:

https://help.yahoo.com/kb/account/SLN27925.html

When the breach of 500 Million Yahoo accounts was announced in September, we wrote up some steps you should take as a business to respond. Yet again you should consider resetting your Yahoo account and changing your password on any other service that may be linked or where you have reused or used a similar password. It is also important to ensure that any staff within your business do the same as they may leave your business systems at risk if they come under attack.

IDCARE (Australia & New Zealand'sNational Identity Support Service) have also provided the following advice for individuals on their website:

  1. Change your password and security questions/answers.
  2. Check your forwarding and filtering rules.
  3. Identify the inventory of personal information you have in your emails (from you and others).
  4. If you’ve found driver licence, passport, credit card or banking details – give IDCARE a call during office hours or go to our credit reporting advice section. Don’t let people tell you that you can’t do anything about cybercrime. There’s always things you can do.

Beyond protecting account credentials there are some other potential impacts you should be mindful of with compromises of this magnitude from a business perspective.

Staff Password Reuse

One trend that has started to appear following large data breaches is Cyber Criminals looking to compromise other unrelated accounts where passwords have been reused. The most public example of this was when Mark Zuckerberg's Twitter and Pinterest accounts were compromised allegedly using his leaked LinkedIn password.

Take a moment to consider where you've created an account using your Yahoo account or where you've used a similar password. Ask your staff the same thing. If you're reusing passwords or a guessable system, someone with enough motivation could find your business a reasonably easy target. Always use strong, unique passwords and consider using a password manager.

Customer and Client Accounts

Protecting staff access to your systems is one thing, but consider any systems where your customers or clients may also be left exposed. Do your customers log into a hosted service with an e-mail address and password? If the answer is yes, have a think about what you might be able to do to reduce the chances of their logins to your systems being compromised.

One action larger businesses are starting to take is to force a reset of users passwords for users that have been found in these types of leaks. Amazon did this earlier this year as a preventative measure to maintain the security of users. This is likely based on commercial access to databases containing this type of information and is not something the average Australian SMB could easily do, however it may be worth considering what you could do for customers that have registered with you using an @yahoo email address.

Spear-Phishing & Scams

Beyond the risks associated with a password being compromised, quite a bit of personal information was also leaked. 

IDCARE have been supporting Australian identity theft victims for a number of years and provided the following advice regarding a loss of similar details from Red Cross earlier this year:

Be very vigilant about emails, telephone calls and SMS messaging received. “Spear Phishing” can look incredibly believable. Be cautious of clicking on links or attachments and do your own research and explore alternative contact methods for the sender. Check the email address to see whether it is an email address the sender uses.
IDCARE Red Cross Response Plan