IT security news sometimes seems like an ongoing list of companies that have found themselves the victim of hacking groups or hacktivists, hackers that operate not out of a desire for fame or ill-gotten gains but in order to send a political or social message. All too often, the intrusions suffered by these businesses lead to the public release of information best kept private. The latest such company to find itself the victim of such tactics is none other than internet giant Yahoo!, which was attacked by hacking group D33Ds.
The hacking group gained access to nearly half a million Yahoo! login credentials, the combination of a user name with the coordinating password. These login credentials were accessed on July 11 when D33Ds managed to steal a file related to the Yahoo! Contributor Network. The file, described as ‘older’ originated with Associated Content, which has since been absorbed into the Yahoo! network. According to a statement from Yahoo!, the file contained a great deal of data that was no longer relevant or accurate: "Less than 5 percent of the Yahoo! accounts [disclosed in the file] had valid passwords."
This is a good thing, to be sure. It indicates that many Yahoo! users have applied a basic IT security strategy and have changed their passwords in the years that have passed since that particular file was compiled. At the same time, the disclosure of the user names and passwords also indicates a heightened need to encrypt data. When the Associated Content password file was first created years ago, email encryption was not as common a technology as is the case today. It is perhaps understandable that the file was not encrypted at the time of its creation. The fact that it remained unencrypted years later and then became fodder for hackers, however, should be a wake-up call for small and medium-sized businesses.
Yahoo! found itself in a position no SMB wants to occupy: issuing a statement of responsibility and explaining the company's response to the breach. "We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users' accounts may have been compromised," the company announced. Such a statement may never have been necessary if older files containing password data had been passed through strong encryption technology.
The example should show SMBs the importance of encrypting not just newly created information but also applying the technology to archived items that could be potentially accessed by intruders at some point. For more information about IT solutions for applying encryption, request a free consultation with an iCorps email encryption expert today.