More than 1 billion Yahoo user accounts have been compromised, the company announced Wednesday. The breach, the second major hack announced by Yahoo in the past two months, is a very public example of how fraudsters can circumvent password, security questions, and multi-factor authentication.
The stolen data was thought to include “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers” but not “passwords in clear text, payment card data, or bank account information,” Yahoo’s CISO Bob Lord stated.
The Dec. 14 disclosure of the 2013 attack, came on the heels of the company’s September disclosure that 500 million user accounts had been hacked in 2014. Lord stated the 2014 attack was sponsored by a government and that the attacker forged credentials to log into user accounts without a password.
While the victims of the 2014 attack have not been identified, the 2013 hack affected more than 150,000 federal and military personnel who had provided government email addresses to Yahoo as a backup contact, Bloomberg reported.
The two attacks are the largest known security breaches of one company’s computer network, according to the New York Times. Although it did not do so in September, Yahoo has this time forced all affected users to change their passwords and security questions.
However, simply revising passwords and security questions is not the answer. This hack highlights the ineffectiveness of traditional authentication methods on their own. Fraudsters can get around these easily with RATs, malware, phishing schemes, social engineering and more.
Cybersecurity needs to step it up. New fraud detection and prevention methods such as behavioral biometrics and continuous authentication can help organizations detect unauthorized behavior from both fraudsters and robotic injections.
In the flurry of media coverage responding to the latest breach, security experts consistently noted the breach is not only troubling for its size, but also because it went undetected for years. The company only found out when a cybersecurity firm’s CIO found a database for sale on a public cybercrime forum. The going price for the illicit logins list? $300,000.
The cost to Yahoo and its customers could be even greater. Organizations need to start continuously authenticating user behavior throughout an entire session to ensure their users aren’t victims of fraud. BioCatch’s advanced technology transparently authenticates real users based on their behavior, differentiating between human and non-human device interactions. Better still, the platform offers real-time insight and analytics to prompt action quickly — not three years after the fact.