Yahoo announced that it had a data breach in late 2014 and 500 million users’ account information was stolen. The account information may include names, email addresses, telephone numbers, date of birth, passwords (most encrypted with bcrypt, but apparently not all), security questions, and security question answers.
People who have Yahoo-based services should immediately change their passwords, change their security questions and answers, not use the same password on multiple accounts, and implement dual factor authentication where available.
SETTLEMENT UPDATE: A Canadian sex-toy manufacturer, We-Vibe, has been ordered to pay out almost $3 million to customers who bought a “smart vibrator” that tracked owners’ usage without their knowledge. Each customer who used the associated app will be paid $7,433, and customers who bought the vibrator but never used the app can claim up to $147. READ MORE
For many years this blog has been raising awareness of the intimate nature of vulnerabilities that are created by connected devices on the Internet of Things (IoT) (hacking a toilet, hacking other devices). This latest about the We-Vibe sex toy is no surprise but, as explained below, the concern over shame hacking is no laughing matter.
We have been observing an evolution in hackers’ tactics from going after data that could be directly monetized, such as payment card data, to going after data that can be monetized indirectly through extortion, such as the Ashley Madison data. The hack of Brazzers porn site is similar to the Ashley Madison hack in that the real opportunity for monetization lies not in the intrinsic value of the data itself, but in the opportunity to use the data to embarrass and extort others into paying money to keep it secret.
Sitting in the Miami airport at 5:00 am I am reading news updates on the #SonyHack and a thought just occurred to me:
Previously, many of us preaching the “you better take your company’s security seriously” message to the C-Suites have been wondering if it would take a court decision finding C-Levels or Board members personally liable before they would fully appreciate the significance of cybersecurity risk to their companies.
In reading the articles about how the Sony Hackers are releasing Sony Executives’ entire email folders and all of the personally and professionally embarrassing email conversations they have exchanged, it makes me wonder if this will not do more damage to their professional reputations and careers than anything. And, if it does, does that mean that this may ultimately exert as much or more pressure on them (and other executives who are watching) to put more emphasis on cybersecurity in their companies when the risk to company message has not been working?
If there is one thing we know about human nature, it is that self-interest always prevails … will it here as well?