Yahoo’s Cyber Problems and Yours
I saw a funny tweet the other day, riffing on the new Star Wars movie, Rogue One.
“Find out your Star Wars’ droid name! Just enter your last name and the last 4 digits of your Social Security number!” Or something like that.
Very clever. While I would assume there is no earthly way anyone could fail to see that for the joke it is, who can be sure? It’s a topsy-turvy world we live in these days. People still fall for phishing scams to such a degree that reports from the Anti-Phishing Working Group claim that there were more phishing attacks in the first quarter of 2016 than at any other time in history. It certainly didn’t do any favors for Democratic National Committee chairman John Podesta and his email account, which was hacked due to spearphishing. The billion+ credentials stolen from the two Yahoo breaches could similarly be used to initiate phishing campaigns. This could particularly be the case if government workers gave their official government emails to Yahoo as backups, which would make them valuable targets for foreign intelligence services.
Scenarios like this start to move beyond the hypothetical to the realm of possibility in light of reports from security firm InfoArmor, who discovered that one of the three buyers of the Yahoo data dump ($300,000 price tag) had an eye toward espionage. Said purchaser asked if the ‘product’ contained valid data on business executives and government employees. Considering the Yahoo database did in fact have about 150,000 US government and military personnel details (from FBI agents to NSA officials to CIA human resources managers), according to Bloomberg, I’d say that’s a pretty big red flag. The other two buyers, by the way, were apparently spammers.
Whoever the buyers, whoever the culprits, these breaches are likely to cost Yahoo substantially. Already facing class action lawsuits with more surely to come in the future, I don’t think anyone would be shocked if further wrinkles confronted Yahoo in their already uncertain purchase by Verizon. Perhaps Verizon decides it’s not even worth it, that nothing can be salvaged from these debacles, and abandons the acquisition altogether. Either way, people still got screwed. “The type of information here, when aggregated with other information that is out there on the dark web, has the potential to provide a lot more information about individuals,” said Linn Freedman, data privacy and security team chair for Robinson & Cole. “People really need to take measures to protect themselves here,” such as limiting the amount of personal information you put online, and being careful about app selection.
Because while titanic entities negotiate over mergers and acquisitions, it’s the consumers who face the risk of becoming droids.