Hacked Yahoo data still useful to crooks
"There's no single provider that's invulnerable these days." National Cyber Policy Office director Paul Ash
Data stolen from email provider Yahoo in the world’s biggest cyber security breach to date will be valuable to the criminal world, a cyber security expert says.
Yahoo has revealed that its system was infiltrated in 2013, and up to one billion sets of passwords and/or user names were accessed by an as-yet unknown hacker.
What has happened to that information is unclear but National Cyber Policy Office director Paul Ash said hackers often covered their tracks well and their intrusion went undetected for a long time.
Ash said the motivations for hacking ranged from intellectual curiosity to, most commonly, using the data for criminal gain.
It was usually sold to other criminals or used directly by the hacker themselves to obtain money from the victims.
‘‘If you can access and steal a large set of credentials, that’s a relatively low-cost way of then having a set of information that can be monetised quickly.’’
The value of the data might have declined somewhat in the three years since the hack, but if a user had not changed their password, the account could still be mined for personal information and others’ email addresses.
Ash said the breach was a reminder for everyone, not just Yahoo users.
‘‘There’s no single provider that’s invulnerable these days. The very best providers understand that there will be cyber-security threats to them and actively work to prevent and or manage those when they happen.’’
Cyber security was daunting to some, and he advised people who wanted plain language advice go to the webpage of Connect Smart, a government-private sector partnership.
Password keepers and two-step identification were his other pieces of advice.
‘‘If you’re looking for a password keeper, do some research, make sure it’s one that has a large user base and good reviews around its security. And second, where you can enable two-factor authentication, so as well as a password you have a second piece to the puzzle.’’
The Government plans to launch a national computer emergency response team (CERT) in March to give New Zealanders somewhere to report incidents of hacking and to support them.
The body would have no law enforcement powers, because trust was an important factor in similar models overseas, Ash said.
No numbers are yet available from Spark on how many of its 450,000 Xtra customers might have been affected.
But the telco said anyone who had changed their password in the last three and half years would have a secure account.
In addition, no credit card details for Xtra customers were stored by Yahoo, spokeswoman Michelle Baguley said.
They were stored in New Zealand, and Spark was also moving its email service away from Yahoo to a New Zealand provider.
’’This process was kicked off back in September and will run until all the data is relocated back here in our state-of-the-art Takanini Data centre around April/may 2017.’’
Privacy Commissioner John Edwards has urged the Government to make it mandatory for data breaches to be reported to the commission.