Yahoo Breach: Why it Effects All Websites with User Accounts
The Yahoo breach, will, of course, impact all the users in which accounts were stolen, but it also has a larger impact on other website or application operators where Yahoo users are also members. In many cases, people use their Yahoo email address as the username and contact method on other websites in which they are also a member. It is also common for people to use the same passwords across multiple sites. These considerations open the door for even more fraud with these compromised data sets from the Yahoo breach.
For the big name websites, many of the safeguards to protect against these issues are in place. However, for many smaller websites, there is still significant risks. Below are some considerations to help any organization that wants to protect against susceptibility.
Many people use the same username and password across different applications and websites.
If you are an organization which has a large number of user accounts that could also be Yahoo account holders, you should prompt users to change their passwords immediately. Further, ensure that users change their passwords to something different than before. You should also put in place a recurring force change password on at least an annual basis. If your application uses an email address for the username, you might want to perform an analysis of how many Yahoo addresses are in use to get an idea of the scope of the potential risk in your environment.
Many yahoo.com email address are used as the password recovery email for the websites in which they are a member.
Evaluate the password recovery functionality of your website for susceptibility to attackers that may try to reset passwords in other accounts from the compromised Yahoo account. Some safeguards here would be to look to integrate phone and text validation as a secondary authentication technique. This would add another factor of authentication (your phone) which would stifle this attack method.
In addition, look to ensure that when any changes are made to an account, such as a password reset, an email or text is sent to the user notifying them that this happened. This small detective safeguard can also really limit the ability for an attacker to cause too much damage without the real user becoming aware.
In the end, these safeguards are all best practice to protect the users of any website and as a result should be on your roadmap to implement regardless of the Yahoo breach. The Yahoo breach just really increased the probability of these vulnerabilities being exploited in the near future, which means if you are not on it already, we highly recommend you add these enhancements to your websites soon.
Need more information on Security Program Development? Contact one of Information Security Experts.