Yahoo Data Breach – Some Facts & Questions (i.e., was it really the Russians?)

hacked-1The Basic Facts

Yahoo announced that it had a data breach in late 2014 and 500 million users’ account information was stolen. The account information may include names, email addresses, telephone numbers, date of birth, passwords (most encrypted with bcrypt, but apparently not all), security questions, and security question answers.

People who have Yahoo-based services should immediately change their passwords, change their security questions and answers, not use the same password on multiple accounts, and implement dual factor authentication where available.

The Message in the Message

In its notification message, Yahoo subtly invokes the “it’s not our fault, we were the victim of a state-sponsored actor attacking us” defense. I do not blame Yahoo, it works. It uses the words “state-sponsored actor” twice in the first paragraph and twice in the fourth paragraph: Continue reading “Yahoo Data Breach – Some Facts & Questions (i.e., was it really the Russians?)”

You Could See This One Coming: Vibrator Company Sued for Tracking Usage

flingSETTLEMENT UPDATE: A Canadian sex-toy manufacturer, We-Vibe, has been ordered to pay out almost $3 million to customers who bought a “smart vibrator” that tracked owners’ usage without their knowledge. Each customer who used the associated app will be paid $7,433, and customers who bought the vibrator but never used the app can claim up to $147. READ MORE


For many years this blog has been raising awareness of the intimate nature of vulnerabilities that are created by connected devices on the Internet of Things (IoT) (hacking a toilet, hacking other devices). This latest about the We-Vibe sex toy is no surprise but, as explained below, the concern over shame hacking is no laughing matter.

Today’s Law 360 leads with an article about a recently filed privacy lawsuit: Vibrator Gets Too Intimate By Tracking Usage Info, Suit Says (paywall). According to the article, Continue reading “You Could See This One Coming: Vibrator Company Sued for Tracking Usage”

Brazzers porn hack: more than just account holders exposed–what does this mean for your company?

hackedWe have been observing an evolution in hackers’ tactics from going after data that could be directly monetized, such as payment card data, to going after data that can be monetized indirectly through extortion, such as the Ashley Madison data. The hack of Brazzers porn site is similar to the Ashley Madison hack in that the real opportunity for monetization lies not in the intrinsic value of the data itself, but in the opportunity to use the data to embarrass and extort others into paying money to keep it secret.

The data dump from the hackers includes email addresses, user names and passwords spelled out in plain text, which can certainly Continue reading “Brazzers porn hack: more than just account holders exposed–what does this mean for your company?”

#SonyHack: Will Executives’ Embarrassing Emails Better Motivate Cybersecurity Change?

Sitting in the Miami airport at 5:00 am I am reading news updates on the #SonyHack and a thought just occurred to me:

Previously, many of us preaching the “you better take your company’s security seriously” message to the C-Suites have been wondering if it would take a court decision finding C-Levels or Board members personally liable before they would fully appreciate the significance of cybersecurity risk to their companies.

In reading the articles about how the Sony Hackers are releasing Sony Executives’ entire email folders and all of the personally and professionally embarrassing email conversations they have exchanged, it makes me wonder if this will not do more damage to their professional reputations and careers than anything. And, if it does, does that mean that this may ultimately exert as much or more pressure on them (and other executives who are watching) to put more emphasis on cybersecurity in their companies when the risk to company message has not been working?

If there is one thing we know about human nature, it is that self-interest always prevails … will it here as well?