10 Years After Yahoo Breach, What’s Changed? (Not Much)
Dark Reading: In 2016, Yahoo experienced a significant breach of 500 million user records, later discovering another breach compromising three billion accounts, making it one of the largest in history. The breaches, linked to Russian cybercriminals and various intelligence agencies, highlighted severe security failures within Yahoo’s IT systems. While these incidents were a major wake-up call for the cybersecurity industry, similar vulnerabilities still persist almost 10 years later. The breaches revealed key flaws, such as simple phishing attacks leading to significant data access, outdated and vulnerable encryption methods, password reuse among users, and a general lack of commitment to cybersecurity governance. These events marked a shift in corporate accountability and data privacy, with the SEC now requiring companies to disclose breaches within four days of discovery. The Yahoo breach continues to underscore the importance of cybersecurity in corporate governance and the lasting impact of major breaches on industry practices.
It’s not all doom and gloom: When cybersecurity gave us hope in 2023
Tech Crunch: Despite an overwhelming array of cybersecurity breaches and challenges, there have been notable instances of positive responses in the cyber world in 2023. For instance, when a security researcher discovered a data leak on a Bangladeshi government website, the government’s computer emergency response team acted promptly to fix the issue and even thanked the researcher for their contribution. In the U.S., security vulnerabilities discovered in court record systems by a researcher led to mixed responses, but also prompted several state officials to review their systems for flaws. And Apple, facing the threat of commercial spyware, admitted the problem and introduced Rapid Security Response fixes and a Lockdown Mode to enhance device security. Finally, Google’s decision to store users’ location data on their devices, rather than centrally, marked a significant step towards privacy enhancement, potentially influencing other companies to reconsider their data storage practices. These instances reflect a growing awareness and action towards cybersecurity and data protection, highlighting positive developments amidst the usual stream of cyber challenges.
Comcast Says Data of 36 Million Accounts Was Compromised in Breach
Wall Street Journal ($): Comcast reported that nearly 36 million Xfinity accounts were compromised due to a vulnerability in Citrix software, widely used for remote network access. The breach, occurring between October 16 and 19, exposed usernames, hashed passwords, personal and contact information, including partial social security numbers. Discovered on October 25, the breach was linked to a Citrix vulnerability disclosed earlier in October, though hackers had been exploiting it since at least August. The number of compromised accounts exceeds Comcast’s active customer base, suggesting inactive or multiple accounts per customer were affected. Comcast, which hadn’t detected any data leakage or customer attacks, has enforced password resets and advised customers to use multifactor authentication for better security.
In 2014, The Washington Post published an article which included a photo of TSA master keys. A short time later functional keys were 3D printed using the key patterns in the photo. (source)
Approximately 85% of cybersecurity job postings require at least a bachelor’s degree in fields like computer science or cybersecurity, yet historically, only 60% to 70% of professionals in this sector actually hold such degrees. (source)
Happy New Year! As 2024 begins, we reflect on the forecasts made at the start of last year, assessing their relevance against the actual cyber landscape. This article provides insights into the trends that shaped cybersecurity in 2023, including Zero Trust adoption, AI’s role in security, and the evolving responsibilities of CISOs. Explore our retrospective analysis of 2023’s cybersecurity predictions here.
Charlies is a 14 year cyber security expert. He started his career in the U.S. armed forces and then transitioned into commercial roles. A security engineer by training, he's well-versed in tool deployment and administration.
Ellen bring a decade of GRC expertise to the TalPoint community. She's knowledgeable on a variety of frameworks and employs a methodical approach to compliance. She's available for needs assessments, gap assessments, internal audits, and for certain frameworks running independent 3rd party audits.
Zachary bring a 20+ year career in risk management to the TalPoint community. He's worked across healthcare, finance, and supply chain manufacturing. His broad experience offers both a holistic view of risk as well as a common sense approach to risk management.