1 Billion Yahoo Accounts Breached. Impacts for Australian Businesses
Yahoo have announced yet another massive breach of their systems, this time dating back to 2013 and impacting around 1 Billion user accounts. If you had a Yahoo account in 2013 we recommend you immediately review the security guidance they have published here:
When the breach of 500 Million Yahoo accounts was announced in September, we wrote up some steps you should take as a business to respond. Yet again you should consider resetting your Yahoo account and changing your password on any other service that may be linked or where you have reused or used a similar password. It is also important to ensure that any staff within your business do the same as they may leave your business systems at risk if they come under attack.
IDCARE (Australia & New Zealand'sNational Identity Support Service) have also provided the following advice for individuals on their website:
- Change your password and security questions/answers.
- Check your forwarding and filtering rules.
- Identify the inventory of personal information you have in your emails (from you and others).
- If you’ve found driver licence, passport, credit card or banking details – give IDCARE a call during office hours or go to our credit reporting advice section. Don’t let people tell you that you can’t do anything about cybercrime. There’s always things you can do.
Beyond protecting account credentials there are some other potential impacts you should be mindful of with compromises of this magnitude from a business perspective.
Staff Password Reuse
One trend that has started to appear following large data breaches is Cyber Criminals looking to compromise other unrelated accounts where passwords have been reused. The most public example of this was when Mark Zuckerberg's Twitter and Pinterest accounts were compromised allegedly using his leaked LinkedIn password.
Take a moment to consider where you've created an account using your Yahoo account or where you've used a similar password. Ask your staff the same thing. If you're reusing passwords or a guessable system, someone with enough motivation could find your business a reasonably easy target. Always use strong, unique passwords and consider using a password manager.
Customer and Client Accounts
Protecting staff access to your systems is one thing, but consider any systems where your customers or clients may also be left exposed. Do your customers log into a hosted service with an e-mail address and password? If the answer is yes, have a think about what you might be able to do to reduce the chances of their logins to your systems being compromised.
One action larger businesses are starting to take is to force a reset of users passwords for users that have been found in these types of leaks. Amazon did this earlier this year as a preventative measure to maintain the security of users. This is likely based on commercial access to databases containing this type of information and is not something the average Australian SMB could easily do, however it may be worth considering what you could do for customers that have registered with you using an @yahoo email address.
Spear-Phishing & Scams
Beyond the risks associated with a password being compromised, quite a bit of personal information was also leaked.
IDCARE have been supporting Australian identity theft victims for a number of years and provided the following advice regarding a loss of similar details from Red Cross earlier this year:
As with the password reuse risks, the risks from these scams can impact both your staff and your customers. Be extra careful with any dealings you may have over a yahoo account, take extra measures to validate any contact that seems unusual and if you have any concerns, speak up and seek a second opinion.
Don't Forget Business Partners
Sole operators in particular regularly use free email services such as Yahoo Mail as part of their business. As with you, your staff and your customers, your suppliers and partners may be targeted by scammers and other cyber criminals and in turn place you at risk. If you do business with someone using these types of accounts, consider having a chat to them about how they manage their IT security.
If you use a Yahoo Mail account in your business, you should take immediate action to secure it and consider moving to a dedicated business email provider such as G Suite from Google or Office365 from Microsoft. These services can cost as little as $5 a month and will give you access to a range of other features.
At CyberAsk we're working hard to develop solution for Australian Small and Medium Businesses looking to improve their data security and respond effectively to IT security incidents. If you'd like to discuss the risks outlined in this article or any other data security risks you have as a business, please get in contact and we'll see how we can help.