25 September 2016

In August 2016, a hacker offered 200 Million Yahoo Accounts for sale on the Darknet. In a first investigation, Yahoo found no evidence for this assertion. But the investigation team found indications for a data breach which happened in 2014.

Last Thursday, Yahoo announced that account information of 500 Million users was stolen in late 2014. The good news is that the company found no evidence that the attackers are still active in their network. And that only names, email addresses, phone numbers, birth dates, encrypted passwords, and, in some cases, security questions and answers were stolen.

That is bad enough, especially because reuse of account information like security questions and answers is a widespread bad habit. Yahoo users are well advised to change their security questions wherever they have reused them.

But what really worries me is that it took about 600 days before the breach was detected. That is far more than the MTTI (Mean Time to Identify) of 206 days the Ponemon Institute estimated in the ‘2015 Cost of Data Breach Study:  Global Analysis’. And more than the max. value of 582 days.

One can only speculate whether indicators of compromise were non-existent or ignored or not recorded or not regularly reviewed. Regular review of event and incident data is a really tough job, but essential if it comes to the assessment of indicators of compromise.

Have a good week.