Recently, Yahoo announced 500 million accounts were breached. Scary stuff, right? Then, digging deeper, it turns out the accounts were breached in 2014, which doesn’t sound quite so bad. After all, that was two years ago. But the reality is, the passage of time doesn’t make it any less dangerous for you as an individual or as a business.
(Edit 10/4/2017: Yahoo just announced this breach was bigger than previously thought - it actually affected every single account)
The issue is that most people don’t follow safe password practices. They don’t change their passwords frequently enough and often use the same password for everything. How many of you have honestly changed the passwords to your social media, online shopping and bank accounts and work log-ins since 2014?
If you use the same password for everything, this can be devastating to you personally – and if your employees are using the same password for their work accounts, could lead to a major data breach at your company. In some cases, you can be using different passwords for everything and still be vulnerable.
Personal Problems
So, let’s assume that your account was one of the ones that was compromised in the recent Yahoo attack. Now, the hacker has access to your Yahoo email, which may not seem like much on the surface. But any account, like your social media account, online banking, Ebay, Amazon, etc created using that Yahoo email account that was just compromised, too. Did you file your taxes electronically using that account? They have access to that, too.
Imagine the damage that can be unleashed on your credit. With your account information, they can open unauthorized credit cards and accounts with your online banking information and make unauthorized purchases on ecommerce sites and ship them to wherever they choose. From there, they could mine critical data off of your electronic tax filing records to sell on the black market. Credit cards, PIN numbers, social security numbers, etc all could be sold to other hackers.
They can also use your account to launch other attacks, like pushing out thousands of bogus phishing emails (check out our Phishing Blog here) to everyone in your address book. The victims already recognize the email address from your hacked account so they are more likely to open the email, and become infected.
From there, the hacker can get into your social media accounts (either by using the password you use for both accounts, or by resetting the password using the email address they already have access to) and launch more attacks from there. Ever have a Facebook friend start sending out weird, spammy messages? They’ve been hacked, likely in a similar way.
Putting the Business at Risk
If your employees are using the same password for their work accounts, your entire company is now in danger. It’s not hard to find out where someone works and their work email, especially if they use a compromised email for LinkedIn or other social media accounts where they have work information listed.
Hackers can use this information to potentially access your company information. Employee and customer files can be stolen and can happen without you even knowing about it.
The picture doesn’t get any prettier. Consider how long and expensive the process for fixing this type of data breach is going to be. Companies that suffer data breaches are very unlikely to ever fully recover their reputation in the public’s eye. In fact, 60 percent of business that experience a data breach fold within six months.
Unfortunately, stories like Yahoo’s massive breach are only going to become more prevalent in todays’ world. It’s already not that uncommon to hear about massive data breaches that happened a few years ago and are just now coming to light (remember LinkedIn’s big data breach?) and it’s just going to keep happening.
Even though a data breach that happened several years ago may not seem like a big deal, it can very easily turn into one if your employees aren’t following best practices around data security, specifically passwords. And the reality is – most aren’t.
