Impact of breach continues
As investors and investigators weigh the damage of Yahoo’s massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web.
While it’s unknown to what extent the stolen data has been or will be circulating, giant breaches can send ripples of insecurity across the internet.
‘‘Data breaches on the scale of Yahoo are the security equivalent of ecological disasters,’' said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania.
A big worry is a cybercriminal technique known as ‘‘credential stuffing’’, which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous.
Credential stuffing typically succeeds between 0.1 per cent and 2 per cent of the time, according to Shuman Ghosemajumder, the chief technology officer of Shape Security.
That means cybercriminals wielding 500 million passwords could conceivably hijack tens of thousands of other accounts.
Meanwhile Yahoo users who recycle the same password across the internet may still be at risk.
While people can always change the passwords across all the sites they use, Yahoo’s announcement that some security questions were compromised too means that the risks associated with the breach are likely to linger.
A password can be changed, after all, but how do you reset your mother’s maiden name? AP