Over a million developers have joined DZone.

Biggest Data Breach Yet: What Are the Implications of the Yahoo Hack?

DZone's Guide to

Biggest Data Breach Yet: What Are the Implications of the Yahoo Hack?

The biggest security story of this week by far was the massive data breach at Yahoo.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

The biggest security story of this week by far was the massive data breach at Yahoo. The implications of this breach -- widely reported to be the largest of its kind in history -- will be wide-ranging and complex. As the Yahoo hack (and many others like it) prove, it's still very difficult for companies to keep up with and ensure the security of their websites, applications, and customer data. And there's no doubt that their security posture is emerging as a major factor in corporate valuations.  

In fact, much of the coverage of the Yahoo hack so far has focused on how it might impact the company's pending $4.8 billion sale to telecommunications giant Verizon. The Wall Street Journal reported that "in a proxy filing related to the Verizon deal on Sept. 9, Yahoo said it wasn't aware of any 'security breaches' or 'loss, theft, unauthorized access or acquisition' of user data." Though the hack apparently occurred in 2014, Verizon apparently was notified of it this past week. Yahoo blamed the hack on "state-sponsored" attackers, but did not provide further details. 

A Treasure Trove of Stolen Data

Attackers were able to access user account information, possibly including names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers, according to various reports. Most of the passwords were hashed with the secure algorithm bcrypt, and while some security questions were encrypted, some were not. The attack was a textbook example of an Account Takeover (ATO) attack -- the most common form of cyber attack today. 

"It depends a lot on how Yahoo implemented bcrypt," notes Oliver Lavery, IMMUNIO's VP of Research. "If they used a separate salt for each hash, and a sufficient number of rounds of bcrypt it could be quite secure. The problem is that cryptographic implementation is very difficult, and generally attackers can break the implementation much more easily than ciphers involved."

"The precise burden bcrypt imposes on the Yahoo attackers can't be calculated because the 'cost factor' used to hash the passwords is unknown," according to a report in ArsTechnica.  

Runtime Application Self-Protection: A Better Line of Defense Against ATO Attacks

Given the stakes involved, companies must adopt more effective solutions to safeguard customer data. Emerging Runtime Application Self-Protection (RASP) solutions are designed to work inside the applications they protect.

Just as there’s no single point of entry to the corporate enterprise, there’s no single solution to address all the threats to your organization’s information assets. Protecting the network perimeter is critical, but with hackers increasingly targeting the low-hanging fruit of web applications, securing applications is the key to guarding against attacks that can breach the perimeter.

RASP protects against botnet attacks while they’re in progress, through rate limiting and threat intelligence feeds. It identifies bots and breaks them by automatically serving captchas, instantly stopping the attack in its tracks. With RASP, users receive alerts on accounts that have already been stolen, by tracking user behavior changes, browser usage, geographic information, amidst many other factors, identifying specific accounts or sessions that are suspected victims of ATO attacks.

And not only does RASP address the ATO threat, it also helps you address other application security risks such as SQL injection, OS command injection, and other OWASP Top 10 threats.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

hack ,data breach

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}