- Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Risk & Repeat: Second Yahoo data breach uncovered

Listen to this podcast

In this episode of SearchSecurity's Risk & Repeat podcast, the editors discuss the second major Yahoo data breach and what it means for both the company and its users.

The discovery of a second Yahoo data breach has led to more criticism of the company's security practices and its reliance on an insecure encryption algorithm.

Last week, Yahoo announced that, during its investigation of the 2014 data breach that exposed the information of more than 500 million user accounts, forensic investigators discovered evidence of another breach that took place a year earlier.

The 2013 Yahoo data breach, according to the company, saw threat actors steal account information, including names, dates of birth, hashed passwords and some encrypted or unencrypted security questions and answers, for more than 1 billion accounts.

In addition, Yahoo disclosed that, in 2013, their hashed passwords were protected by the MD5 encryption algorithm, which was known to be insecure at that time. That disclosure has led to more criticism of Yahoo security practices. In addition, The New York Times reported that threat intelligence vendor InfoArmor discovered in August that Yahoo user data from the 2013 breach was up for sale on the dark web. InfoArmor contacted law enforcement and military agencies in several countries, including the U.S., but did not contact Yahoo directly, which has led to questions about InfoArmor's response.

Why was Yahoo using the insecure MD5 algorithm in 2013? What will be the effect of that much user data and personally identifiable information being in the wild? Did InfoArmor have a responsibility to disclose its findings to Yahoo? In this episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more about the second Yahoo data breach.

Next Steps

Risk & Repeat: Avalanche crimeware as a service operation busted

Risk & Repeat: Internet of things botnets growing more sophisticated

Risk & Repeat: Rapid7 addresses internet of things threats and vulnerabilities