Jan 03, 2017
Kon Leong, CEO and founder of ZL Technologies, said companies should take steps to protect themselves from similar breaches.
“Apart from best practices for password security, such as frequently prompting users to change passwords and never storing raw password data, there are a few things companies with user data should consider,” Leong said. “For instance, client-side encryption is helpful to prevent raw passwords from being sent over the wire.”
At the time of the breach, Yahoo was protecting passwords with MD5, a cryptographic hash function that changes a variable message into a sequence of 32 hexadecimal digits and which can be vulnerable to attacks, he said. Leong noted that the company has since moved on from the practice.
He also suggested that companies “make use of ‘white hats,’ guns for hire who will attempt to hack into a company’s system as a way of detecting vulnerabilities.”
Leong said Yahoo’s users find themselves in a strange situation since the breach occurred so long ago and only limited facts about the intruder’s intent are available. But they should still take steps now to secure their accounts, he said.
“Though it’s likely any damage would have already been done by now, the first thing anyone with an account should do is to change their password and, often overlooked: their security questions and answers,” Leong said.
“Users should also remove any sensitive information from their accounts so that in the event they are accessed, users can still retain anonymity,” he added.
You can also download a PDF version of the article.