Hacking seems to be one of the lead stories as we begin the New Year. The Yahoo security breach announced last month notes one of the latest victims. Yahoo released information regarding a theft in late 2014 of encrypted passwords and unencrypted personal information for over 1 billion Yahoo users.
The first question a techie like myself asks is “What security hole did Yahoo leave open?” The statement by Bob Lord, Yahoo chief information security officer, gives a hint: “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” (http://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security) Bcrypt is a fairly secure hashing algorithm that takes months of brute force calculation to crack, so most people will have time to change their passwords before any damage is done.
The real shocker in Lord’s statement is “… unencrypted security questions and answers.” These are the questions a site uses to verify your identity when you forget your password, e.g., “What was the name of your first pet?”, “Who is your favorite actress?” Unlike passwords, which most people change regularly, these security questions and answers are your identity – they define who you are. You can’t change your mother’s maiden name or the city where you were born. Someone who has this information can steal your online identity to any site by proving they are you, no matter how secure your password is.
Stunningly, Yahoo encrypted the passwords, but apparently left the far more valuable personal information unencrypted. Hackers now have this information, in the clear, for billions of online users who are uniquely identified by their name and email address. Your Yahoo account is the least of your problems, if you still use Yahoo. You need to go to every other site where you gave personal information and change the questions or fabricate new answers, then remember your new answers. That’s a high price to pay for the benefits of having a Yahoo account.
Encrypting all personal information is a fairly basic tenet of online security, even for a fledgling online startup, let alone an attractive hacking target like Yahoo. It’s not as if Yahoo was unaware of hacker activity on their site, after a breach of over 450,000 accounts in 2012 and a series of spam mail attacks in 2013. And yet, Yahoo was slow to take any corrective action, despite warnings from Yahoo’s own internal security team. “…When it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, [Yahoo CEO] Ms. Mayer…denied Yahoo’s security team financial resources and put off proactive security defenses.”
A security hole is a form of technical debt – a hole in the company’s technology that sooner or later will cost the company money, either to fix or to suffer the consequences. Almost every company has these sorts of “skeletons in the closet”:
The longer you wait to fix the problem, the more it costs the company, in risk or impaired performance. Yahoo chose to defer fixing their technical debt, but that debt has now come due with compound interest, and the timing could not be worse. Yahoo is in the midst of negotiating a sale to Verizon for $4.8 billion, and the mega breach threatens to slice the purchase price by billions or, if enough users flee Yahoo, could even cancel the deal or sink Yahoo entirely. That would be a new record for the skyrocketing cost of technical debt.
Yahoo’s plight provides some valuable take-away lessons for every company: