Security Breach: Yahoo! Gets Caught by an “Oldie but Goodie”
Another large, well-known company becomes a casualty of poor security practices. According to an article recently published by CSO Online, nearly a half-million user credentials were stolen from from Yahoo. A hacker activist group employed good old “SQL injection” to harvest users’ credentials from a Yahoo database. SQL injection is not new—in fact, having been around for more than a decade, SQL injection is perhaps one of the oldest tricks in the book as web-hacking techniques go.
So what and who cares about a Yahoo security breach?
Good question. The impact of this breach is yet to be determined. Yahoo downplayed the significance of the attack, claiming that many of the stolen credentials were outdated and invalid. Nevertheless, according to the report, some credentials were associated with other well-known service providers, which could certainly put those organizations and their users at risk. Even if the (outdated) credentials turn out to be of little value to the attackers in future exploits, the breach may indicate the presence of other vulnerabilities or loose security practices (giving attackers reason enough to keep poking). For sure, the breach is doing very little to help Yahoo protect its brand reputation and preserve consumer confidence.
Wake-up call for examining your own security practices?
As mentioned in the CSO Online article, the hacker group referred to this event as a “wake-up call” for Yahoo. I would go so far as to say that this is a wake-up call for any organization with public-facing web applications. As I had written in a previous blog post, there’s no excuse for not wearing your seat belt. Turns out that Yahoo didn’t securely store the passwords contained in the database that was compromised. Yahoo seems to have forgotten to wear its seat belt.
To be fair, my intent is NOT to beat up on Yahoo. My intent is to present the example of this event for a more positive purpose: awareness. This can happen to anyone. It can happen to you. I know that sometimes we get in a hurry to move something to production, or we rush to get a product to market, or we get comfortable (and maybe a little lazy?) because “we haven’t been breached yet!”, etc. If you can’t get it right before it goes out the door, at least go back and check it after it goes out (every second counts, by the way)…and beware of the carelessness that arises from it-hasn’t-happened-yet syndrome.
What are you doing to minimize your risk of being compromised and publicly scrutinized in the process? DON’T get caught by an oldie-but-goodie. If you’re not sure what security measures are being taken in your organization or you need help identifying what you should be doing, stop what you’re doing and call Fusion Alliance right away (or call someone, I don’t care who!). You may be just fine, but how do you know? And isn’t it worth knowing? I would bet that the good folks at Yahoo thought they were just fine, too.
SOUND OFF: What is your company doing to ensure it doesn’t get compromised by an oldie-but-goodie hacker attack?