Yahoo! recently announced that a billion user records were stolen from them. Just another run of the mill hack? Apparently not. You see, more than 150,000 of those records apparently belonged to U.S. government and military employees. And their names, passwords, telephone numbers, security questions, birth dates, and backup e-mail addresses are now in the hands of cybercriminals to be used for who knows what. Actually, I have a pretty good guess – and phishing comes to the top of my mind.
What Is A Backup Email Address And Why Do I Care?
Like many other web services, Yahoo! allows customers to set up a recovery email address. If you forget your password or your account is locked, a special link in an email sent to your backup address can be used to recover your credentials. And apparently, many thousands of those backup email addresses ended in .gov or .mil. Yeah, workers with access to US government systems, and the secrets on them.
Yahoo! Did Not Know They Were Hacked…
Many have said that there are two types of companies; those that have been hacked, and those that don’t know that they’ve been hacked. In this case, cyber-security researcher Andrew Komarov kindly let the United States federal government know that he found Yahoo! users’ credentials on the Dark Web, and the feds in turn notified Yahoo! But that wasn’t even the beginning of the nightmare.
In fact, Bloomberg News reviewed the database that Komarov discovered and confirmed a sample of the accounts for accuracy. The thought that employees of government agencies like the National Security Agency may have had their personal information stolen immediately sent chills through the security community.
Since a 2012 Ponemon study showed that “Reusing the same password and username on different websites” came up as number 4 on the list of 10 risky practices employees routinely engage in, the chances are high that the passwords on a hacked user’s Yahoo! account and their backup email account probably are the same.
Komarov also found communications from a buyer for the data, but only if it contained information about a very specific set of people. The buyer supplied a list of ten names of U.S. and foreign government officials and industry executives to the hackers, and if their information was included in the stolen online loot then they had a deal.
… for Three Years!
I may have forgotten to mention that the data actually was stolen in August 2013, creating a 3-year opportunity for bad actors and foreign spies (based on the names in the buyer’s request, Komarov is pretty sure that it came from a government) to identify employees doing sensitive and high-security work here and overseas.
So of course, there are lessons on cyber-hygiene to be learned from this story and in a strange twist of things, Micro Focus has a number of products which can help keep your company and your employees safer from attack.
- Don’t reuse passwords. In fact, your company might be able to get rid of most of your application and web-based passwords by implementing secure single sign on or automated sign-on for mainframes. (Access Manager for web, SecureLogin for apps, and Automated Sign-On for Mainframes.
- Use different names on your work and personal email accounts. Work might be rlaped@microfocus.com and home might be securityguru@outlook.com. It makes machine-based identity matching harder if not impossible.
- Don’t use real security answers. In my case, I treat them like passwords and use random character strings. This is another good reason to use a secure (not online!) password manager with strong encryption.
- If at all possible, use multi-factor authentication to access (and recover) your online accounts. And ask your company to use our Advanced Authentication product to implement multi-factor authentication on your internal systems and even your mainframe in case your password is somehow exposed.
- Create a backup email address on another personal email service rather than using your work address. If you use Outlook.com, have your backup on iCloud.com. You don’t even need to use your backup address for anything other than account recovery.
- Finally, implement least privilege so that if a user’s identity is ever stolen the attacker won’t have access to your entire network. Audit user access to your systems and track what they are doing on them. Install software which can immediately shut down a risky session.
Even though it is not related to this story, another tip is don’t access work and personal email using the same email client. Autocomplete might send your work email out to a friend, which could be mildly regrettable to an international scandal. Micro Focus offers mobile device management that’s secure, scalable, and covers BYOD devices to help separate personal and business information.