Yahoo Data Breach: What more could go wrong?

Yahoo, now owned by Verizon, is in the headlines once again and it seems that things are going from bad to worse for the internet giant. The internet service company suffered 2 major data breaches, 1 occuring in 2013 and a seperate breach occuring in 2014. This was not publically reported until 2016 which affected over 500 million Yahoo accounts. The Yahoo data breach are considerd to be the largest discovered on the internet.

yahoo data breach logo


In August 2013 Yahoo suffered an enormous data breach but wasn’t publicly announced until December 2016 when at the time it was believed that 1 billion accounts, including 8 million UK accounts, had been compromised. This essentially means that during the Yahoo data breach, a third the company’s customers had their account information exposed and their accounts left vulnerable without their knowledge for nearly three years. Yahoo announced that only user names, email addresses, full names and dates of birth were compromised during the breach. Encrypted passwords and financial information was thankfully stored on a different server which they believe wasn’t affected.

When it comes to a data breach, 1 billion user accounts is already a monumental figure. However, this month Yahoo has reported that the number of compromised accounts is actually 3 billion. This figure is triple the amount they first reported,  nearly every Yahoo account ever created to date including webmail, Flickr, Tumblr, and Yahoo Sports accounts had been compromised. If you created any of these accounts prior to the breach in August 2013, it’s almost guaranteed that you’ve been affected.

In December 2016 when the breach was first announced, Yahoo imposed new security measures to ensure that the hackers had less opportunity to access exposed accounts. First, customers were forced to change their passwords and second, any non-encrypted security questions were removed. Although the security of the accounts has now been improved and the chance of someone having their accounts accessed is slim, there’s still a lot of stolen personal data that hackers could use to their advantage.

In Tuesday’s statement Verizon’s chief information security officer Chandra McMahon said:

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats.”

“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

 What you should do next to help protect yourself:


  • Change your password
    If you haven’t already, it’s a good idea to reset your password for any Yahoo-owned account you have. With every password, ensure that it is complex but memorable. It’s also important to not use the same password for different accounts as this gives attackers a gateway into other personal data. If you would like to read more on our password best practices, download our free poster here.
  • Monitor your accounts
    Keep an eye on the account for any suspicious activity. Yahoo Mail has a feature where you can view your last activity and last logins. If there’s something out of the ordinary and raises alarm bells then it would be best to change your passwords, run a virus scan and check your bank accounts.
  • Enable two-step authentication
    Something that we recommend for any account is to enable two-step authentication (2FA) where available. This is a method in which you will need your usual password as well another password to access your account. Usually, a one-time key/password is generated and sent to your phone or other devices.  This means that should your usual password be compromised, hackers would have another layer of security to try and bypass.
  •  Install antivirus
    Having antivirus installed on your computer is extremely important. It’s the front line in defending you against harmful attacks. It’s also important to keep your antivirus up to date and to run regular scans on your device. With malware becoming so advanced, we recommend installing antivirus software on your portable devices such as phones and tablets too.
  • Be vigilant
    Hackers techniques are always evolving and becoming ever more sophisticated so we recommend staying vigilant to anything that seems suspicious. One of the most popular ways a hacker will try and steal personal data or infect your machine with malware is via email. If you’re unsure of the legitimacy of an email then it’s best to ignore or delete it.


How can CS Risk Management help?

With cyber-attacks becoming more advanced, have you reviewed your cyber security recently? CS Risk Management is a cybersecurity and risk management company helping organisations implement an effective cybersecurity strategy. We offer a range of cyber security consultancy services which help companies using IT, OT and control systems audit their security and minimise the chances of a successful cyber attack.

Our risk management consultants are CISA-certified senior IT auditors, with a strong background in information security assurance and compliance. With extensive experience in security and governance internal audit and auditing IT within large and small organisations, we can provide the expertise you need to gain comfort that your IT function is performing effectively and within your risk appetite.

Did you know? – The new GDPR regulations come in to force as of May 2018 and many companies are still unaware that fines can reach up to €20 million or 4% of global revenue (whichever is greater).

Find out more about our audit and assurance services or contact us today if you’re looking to mitigate the risk of being impacted by a data breach.