The great controversial lag in disclosing the second cyber assault on the data of Yahoo accountholders was supposedly caused due to the deficient knowledge of the security invigilators of the company.
The stunning declaration by Yahoo about its second major breach of data in August 2013 of around one billion accounts has caused the red alarm in the cyber security world. The declaration came out on Wednesday, earlier this week, while the doubts were raised in November this year itself which was also shared with the users.
As important information to its users on a microblogging site, Yahoo posted that the law enforcement authorities had provided them with some files, which was claimed to be the information of Yahoo's account holder. The suspicion was shared with the users in November, earlier this year. This was further probed with the joint assistance of external forensic experts and it was eventually found that the claim was indeed true.
In the particular post the company also added that the conclusive data derived after investigation with the outsider forensic team was analysed furthermore. As the inquest proceeded, it was deduced that an unauthorised party had laid access to the data of about a billion of account users of Yahoo and stolen the same way back in 2013. The failure of the security officials was also admitted in respect of identifying the transgression that resulted in the theft of this huge amount of data. The distinction of this offensive act was also made from the earlier incident that was revealed on September 22, 2016.
The company also stated that potentially hacked account information may comprise of names, date of birth, telephone numbers, e-mail addresses, hashed passwords (using MD5), security questions and answers (encrypted and unencrypted). Yahoo claimed that sensitive data related to bank accounts, payment cards and clear-text passwords have not been compromised, according to investigation reports.
As per the ongoing inspection reports, a third party access in an unauthorised manner has been reportedly found in the company's proprietary code, in order to learn forging of cookies. Some of the users' accounts have been identified to have faced the usage of forged cookies and this is done by the outside skilled forensic team. The company has invalidated the forged cookies and is in the process of sending notifications to the account holders, who have been affected by this. The major web-mail service provider links the activity to the same state-hired cyber criminals, who executed the theft of data in 2014.
With this massive scale of hacking in users account, it is quite eye-raising that the company took three years to account for the security breach. The statement of the company's blog post suggests that the internal security system was alerted by the external agencies.
If cyber security experts are to be believed there are many reasonable points as to why the users do not get to know about such infringement soon after they occur. One of the reasons might be the complications and differences in laws of various states in relation to cyber crime and their reporting. A standard unification of law is required for making this process quicker, but governing authorities have not reached such a level yet.
Moreover, the system of making disclosure differs for various types of information and it needs time to assess whether, financial, medical, or other confidential data has been compromised and the intensity to which it can pose harm to the users. On the top of that, most of times, companies hesitate from notifying the users in details fearing that it may have a hard negative blow to their brand image and also expecting that adversely hit people may not pay heed to the technical details of hacking.
It should be reported that Yahoo in September this year had announced a similar hacking mishap of around 500,000 account holders, which took place in 2014. The crime got noticed when data in relation to around 200,000 Yahoo users was put on sale online. The seller who supposedly committed the offense was using the moniker “Peace”. Interestingly, the same was associated with the cases of sale of data online, stolen from LinkedIn and MySpace. Following this Yahoo had to face class action suits by various parties coupled with many investigation processes.
The company had suspected the act as that of “state-sponsored” hackers and had also claimed that the system was free from glitches in the month of September 2016.
While some remedial measures have been initiated by the company, instructions were also laid for the users as a part of security measure against breach of account information.
The Yahoo case has certainly rang the renewal bell for the companies providing web-mail service, in their policy of notifying users about any hacking of accounts that takes place at their earliest. It also calls for unification of data security laws across states in order to eliminate the sufferings of the public, who are the affected the most between the conflict of regulations and late disclosure of offense by companies.