I have personally been on Yahoo email since it was released in 1997 (almost 20 years!). I remember how cool it was to have an email address that would live independently from my school, work and ISP accounts. This was especially cool because I lived in Silicon Valley and all three of those emails tended to change every few years. I have been a loyal user of Yahoo mail even when seemingly better or more popular alternatives were available (Gmail, AOL, me.com, Hotmail, etc.).
Well, today is the day that I may finally consider making the move to another service.
Turns out that way back in 2014 Yahoo lost access control for over at least 500 million accounts. Even though they were aware of the claim for at least the past couple of months, they are just now admitting that it is, in fact, true.
Yahoo is trying to say and do the right things by stating that a “state-actor” was responsible, that the FBI is aware, and that users should change their password and turn on a second factor authentication. But they go on to minimize the issue by using phrases including state-sponsored attacks “have become increasingly common” and “Yahoo and other companies have launched programs to detect and notify users.” As if it is just business as usual to notify customers and move on…
Well, this time Yahoo may very well be facing an existential crisis. Already besieged by business execution issues and enduring a sale to Verizon, this may be the straw that breaks the camel’s back. Since this breach occurred in 2014 and wasn’t properly communicated or handled in a timely manner, it may very well give Verizon an “out” or a reason to renegotiate.
Yahoo has been doing a recent bit of “closing the barn door after the horses are gone” by encouraging users to use an alternative factor to the password with what they call “Yahoo Account Key.” We certainly recommend that users enable second factor authentication to their important accounts, not share passwords between accounts and use a good password manager.
But this is less of a story about 500 million user accounts being stolen (which is astonishing enough) and more about how lax security and poor handling of incidents can impact the very existence of a company. The stakes for properly securing access to corporate resources and handling security incidents couldn’t be higher.
Centrify recently surveyed thousands of consumers and found that two-thirds are likely to stop doing business with an organization that has been breached. Businesses shouldn’t wait until after they are breached to offer more secure access control than a simple username and password. If they do, their judgement and trustworthiness certainly should be called into question.
Now, all I have to do is change my email contact info with my doctor, satellite TV provider, mortgage company, relatives, credit cards, utilities, school loans, car loans, social security, voter registration, pharmacy, neighbors, wine club, Apple account, postal service, friends, house cleaners, internet provider, dentist…hmmm.
To find out more about how businesses like yours can better secure access to important resources for your employees, partners and customers check out the webinar or download the booklet “Securing Enterprise Identities For Dummies.”