A hacking group known as D33Ds Company leaked about 453,000 hacked email addresses and passwords of Yahoo Voices users in order to send a “wake up call” about poor data security practices at Yahoo. The information posted online was NOT restricted to YahooMail login credentials, but included Gmail, Hotmail, Aol and Yahoo user information. In the past few weeks, there have been similar breaches at LinkedIn, eHarmony, Formspring, Nvidia, and AndroidForum. Whazzzup?
Corporations are clearly ignoring warnings that are now commonplace from privacy and security experts: protect your customer data or lose stock value, subscribers and ultimately, your brand reputation.
The average business will NOT take responsibility for preventing a similar breach of their data until AFTER THEY GET HIT. Which is why 95% of companies will hit the snooze button on the wake-up call.
Here is a short list of the mistakes made by Yahoo (and lessons learned) that your company should implement (unfortunately, only 5% of forwarding-thinking companies will do something about):
- The credentials file (which contained the usernames and passwords for Yahoo sites as well as Microsoft, Google and others) was stored in both an encrypted (good) and unencrypted (bad), text format. Translation: Yahoo started to take steps to protect themselves but didn’t finish the job of applying a secret code to the sensitive parts. Lesson: Intention isn’t good enough in business, you must have follow-through and accountability built into your culture of privacy.
- Yahoo didn’t adequately protect against one of the most damaging and common types of attacks (known as a SQL injection attack), which suggests that they didn’t have all of their operating system and security software up to date. Lesson: New year, same old story. For years, businesses have been skipping the simplest of anti-hack fixes – update your software.
- Yahoo failed to require their users to implement strong passwords (hey, that’s our fault as users, too – we have a responsibility to use strong passwords). In this case, it would have done nothing to protect the end users, but in most cases it does. Lesson: Force strong passwords on your users. They’ll get over the pain and will thank you when they don’t get breached.
- Yahoo didn’t salt the passwords as part of their protection. Lesson: Don’t even ask what salting is, just have your tech team implement it as part of your encryption.
- Yahoo was counting on a third-party to provide security software for their assets. Remember, no one cares about your data like you do, and that doesn’t mean you shouldn’t get the right help when you need it. Lesson: If you use a third party, make sure that you perform the correct due diligence when choosing the vendor and implement proper oversight to make sure they’re doing their job.
If you don’t hand this article to your techies and ask them to prevent the same from happening to you, you will have missed the wake-up call just like everyone else.