It’s not surprising that some Yahoo users have decided to sue the company for negligence over a 2014 breach that was only recently discovered and announced. But before we blame Yahoo for this, we need to understand how hackers accomplish such breaches — and what all of us should be doing better to prevent such breaches.
The reality is that all of us — individuals, businesses and policy makers — have a role to play in keeping us safe, whether it be engaging in better cyber safety, or passing regulations that ensure the public is notified of breaches so we can respond in a timely fashion.
Hackers wage a sort of asymmetric warfare. Instead of trying to circumvent sophisticated organizational firewalls, most go after soft targets — the employees and customers of the organization. Many use simple spear phishing attacks with hyperlinks that launch spoofed web pages that directly solicit user logins or hide malware in email attachments that provide backdoor access into the organization’s networks. Such attacks are enormously successful, securing victimization rates of close to 30% in some cases — a sobering statistic when one considers that the hacker needs just one victim. Other attacks, such as the hack into the U.K.’s ISP TalkTalk — exploit weaknesses in web forms and access the databases that run behind web pages. Such access is even easier when the hacker has procured the website administrator’s login through spear phishing.