Yahoo Breach: Why it Effects All Websites with User Accounts
The Yahoo breach, will, of course, impact all the users in which accounts were stolen, but it also has a larger impact on other websites or applications operators that Yahoo users utilize.
In many cases, people use their Yahoo email address as the username and contact method on other websites. It’s also common for people to use the same passwords across multiple sites, which opens the door for more potential fraud with the compromised datasets from the Yahoo breach.
For the big-name websites, many of the safeguards to protect against these issues are in place. But many smaller websites still face significant risks.
Below are some considerations to help any organization that wants to protect against susceptibility.
Many people use the same username and password across different sites
If you’re an organization with many accounts that may be linked to Yahoo, you should prompt your users to change their passwords immediately.
Make sure that your users change their passwords to something different, and consider implementing a forced, recurring password change on an annual basis.
If your website or application also uses an email address, you may want to see how many Yahoo addresses are in use to get an idea of the scope of potential risk in your environment.
Many Yahoo email address are used as the password recovery emails
Evaluate the password recovery functionality of your website for any susceptibility to attackers that may try to reset passwords in other accounts from the compromised Yahoo account.
Some safeguards would be to potentially integrate phone and text validation as a secondary authentication technique. The additional factor of authentication would stifle this attack method.
Additionally, look to ensure that when any changes are made to an account, such as a password reset, an email or text is sent to the user notifying them that this happened.
This small detective safeguard can also really limit the ability for an attacker to cause too much damage without the real user becoming aware.
In the end, these safeguards are all best practices to protect the users of any website and as a result should be on your roadmap to implement regardless of the Yahoo breach.
The Yahoo breach increased the probability of these vulnerabilities being exploited in the near future, which means if you aren’t on it already, we highly recommend you add these enhancements to your websites soon.
Need more information on Security Program Development? Contact one of Information Security Experts.
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles