St.

Paul University Philippines

Tuguegarao City, Cagayan 3500

GRADUATE SCHOOL
Doctor in Information Technology

DIT 308 – Information Technology Assurance and Security

Student ID: Date of Submission (mm-dd-yy): 05-26-18

Student Name: Professor:

Direction(s): You can refer to HISTORY. You may revisit newspapers, e-magazines, journals,
youtube, and other sources where you can get information about the world's security breaches.
Definitely, you must have known them, too. Share your insights. UPLOAD your output under this
link using the prescribed template. Ensure to AGREE/DISAGREE/BRAINSTORM about the
answers of your other classmates.

Security Breach (The Topic)

Yahoo’s 2013-2014 Email Hack

Brief Description about the Security Breach

The 3 billion Yahoo accounts compromised by a 2013 hack make this easily the biggest
data breach in the internet era. All Yahoo users were affected by the breach although Yahoo did
not determine that this was the case until 2017. Though the U.S. government indicted Russian
hackers for a later breach that took place in 2014, it is not certain how the 2013 hack occurred.

Perpetrators or Violators of the Security Breach

According to FBI (cited in Williams, 2017) Aleksey Belan, a Lativian Computer/Network

Engineer and Software Programmer, and Karim Baratov, a Canadian-Kazakh Computer Hacker
were requested by Russian agents Dmitry Dokuchaev and Igor Sushchin to target and access the
accounts of certain yahoo users.

Affected People or Entities because of the Security Breach

According to Yahoo (cited in Armerding, 2018), the attack compromised the real names,
email addresses, dates of birth and telephone numbers of 500 million users. A couple of months
later, in December, it buried that earlier record with the disclosure that a breach in 2013, by a
different group of hackers had compromised 1 billion accounts. In October of 2017, Yahoo revised
that estimate, saying that, in fact, all 3 billion user accounts had been compromised.

Setting of the Security Breach

Page 1 of 4
 The hack began with a spear-phishing email sent in early 2014 to a Yahoo company
employee. It is unclear how many employees were targeted and how many emails were sent, but
it only takes one person to click on a link, and it happened. (Williams, 2017)

Extent of Loss or Liabilities

Yahoo estimated that 3 billion user accounts had been compromised. Yahoo sold itself to
Verizon for $4.48 billion in June. But the deal was nearly derailed by the disclosure of the breaches
and $350 million was cut from Verizon’s original offer. Yahoo was hit with several shareholder
lawsuits after the breaches became public, and the disclosure that data on all of its accounts was
compromised could increase financial liabilities for Verizon. Because many of the three billion
Yahoo accounts belong to people who use the same passwords for different sites and services,
there is likely to be an escalation of email fraud and account takeovers. (Perlroth, 2013)

The World’s Insights

As pointed out by Perlroth (2013), an estimated three billion user accounts had been
compromised and that the incident was not properly disclosed to the public. The problem is that
many of the three billion user accounts belong to people who use the same passwords for different
sites and services, thus, there is a high possibility of an escalation of email fraud and account
takeovers.

Pham (2016) suggested the following to protect your account from hackers: (1) use
different passwords for all online accounts; (2) beware of emails asking for more information; and
(3) block access to your credit report.

Conner (2016) suggested four ways a company can avoid Yahoo-level stupidity in
enterprise security: (1) make security your brand; (2) understand your encryption; (3) know where
your data is; and (4) anticipate the consequences.

Vigliarolo (2017) suggested ways to protect yourself: (1) completely get rid of your Yahoo
account; (2) if you're in a position where erasing yourself from Yahoo isn't possible, you need to
take steps to protect your account such as flagging accounts for a forced password change and
invalidating compromised security questions, and two-factor authentication method that requires
you to verify your login on a mobile phone; and (3) affected users should secure other accounts
and keep an eye out for suspicious activity.

My Personal Insights

I agree to Perlroth that, of the estimated three billion user accounts many of the accounts
belong to people who use the same usernames and passwords for different sites and services
resulting to an escalation of email fraud and account takeovers. Another issue here is that, the
incident was not properly disclosed to the public. It was only properly disclosed by Yahoo in year
2017.

In order to avoid or prevent such terrible incidents, the following are suggested or proposed:

(1) Companies need to step up security measures to protect themselves not only against
hacking, but also against the aftereffects of hacking like credential stuffing attacks;

Page 2 of 4
 (2) Companies should notify immediately their clients or users and advise them what
actions are to be undertaken;
(3) Government and State should continue to update and strengthen their policies and
programs related to Cyber Security;
(4) Government and State should also look into the so called “state-sponsored-actor” or
“state-sponsored-group”;
(5) Academic institutions (elementary, high school, college) must include IT/IS Security
in their programs so that students become aware of cyber security threats and their
preventive/counter measures; and
(6) Everyone needs to be vigilant about protecting their data in an era of widespread
criminal and government hacking.

Relevance to this Course (DIT 308):

The course DIT-308 Information Technology Assurance and Security provides students a
deeper understanding of information security & assurance, data privacy, risk management.
Working with this activity provided resilient information relevant to the subject:
(1) Some of the most famous security breaches in the world;
(2) Gained a deeper understanding of the 2013 Yahoo Email Hack such as:
(a) The effect;
(b) The perpetrators;
(c) How the breach happened;
(d) The vulnerabilities; and
(e) Counter/preventive measures.

Other security breaches similar or related to the topic:

In addition to my topic, the following are some of the most famous security breaches in the
world with a short description:

(1) Adult Friend Finder. The FriendFinder Network, which included casual hookup and
adult content websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and
Stripshow.com, was breached sometime in mid-October 2016. Hackers collected 20 years of data
(more than 412.2 million accounts) on six databases that included names, email addresses and
passwords.
(2) eBay. The online auction giant reported a cyberattack in May 2014 that it said
exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million users.
The company said hackers got into the company network using the credentials of three corporate
employees, and had complete inside access for 229 days, during which time they were able to
make their way to the user database.
(3) EquiFax. Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7, 2017
that an application vulnerability on one of their websites led to a data breach that exposed about
147.9 million consumers. The breach was discovered on July 29, but the company says that it
likely started in mid-May.
(4). Heartland Payment System. One hundred thirty four million credit cards exposed
through SQL injection to install spyware on Heartland's data systems. At the time of the breach,
Heartland was processing 100 million payment card transactions per month for 175,000 merchants
– most small- to mid-sized retailers. It wasn’t discovered until January 2009, when Visa and
MasterCard notified Heartland of suspicious transactions from accounts it had processed.

Page 3 of 4
Reference(s)

Armerding, T. (2018, Jan. 26). The 17 biggest data breaches of the 21st century. Retrieved from
https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-
century.html

Forrest, C. (2016, Dec. 15). 4 ways your company can avoid Yahoo-level stupidity in enterprise
security. Retrieved from https://www.techrepublic.com/article/4-ways-your-company-can-avoid-
yahoo-level-stupidity-in-enterprise-security/

Pham, S. (2016, Dec. 16). Got a hacked Yahoo account? Here's what you should do. Retrieved
from http://money.cnn.com/2016/12/15/technology/yahoo-security-breach-billion-
users/index.html

Perlroth, N. (2017, Oct. 3). All 3 Billion Yahoo Accounts Were Affected by 2013 Attack.
Retrieved from https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-
users.html

Sporck, L. (2017, Nov. 22). 11 of the Largest Data Breaches of All Time (Updated). Retrieved
from https://www.opswat.com/blog/11-largest-data-breaches-all-time-updated

Vigliarolo, B. (2017, Oct. 4). All of Yahoo's 3B accounts were hacked back in 2013, here's how
to protect yourself. Retrieved from https://www.techrepublic.com/article/all-of-yahoos-3b-
accounts-were-hacked-back-in-2013-heres-how-to-protect-yourself/

Williams, M. (2017, Oct. 4). Inside the Russian hack of Yahoo: How they did it? Retrieved from
https://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-
they-did-it.html

Page 4 of 4