What the Yahoo! account data breach means for the future of identity

janrain-blog_yahoobreachYahoo! yesterday announced that more than 500 million of its user accounts were subjected to a data breach, dating back to 2014. The company learned of the breach this summer when hackers posted the stolen Yahoo data to underground forums and marketplaces, and attribute it to a state-sponsored actor in 2014.

While the hacker is no longer infiltrating the network, compromised user information may include names, email addresses, telephone numbers, dates of birth, hashed passwords, encrypted and unencrypted security questions and answers from the Yahoo account.

Yahoo has taken proactive measures to alert all of the affected Yahoo users. They are specifically recommending users reset their password, disable security questions and consider using the Yahoo Account Key authentication tool in the future, to enhance account security with two-factor authentication.

To put this in context for the broader identity ecosystem, Janrain’s data shows that less than one percent of global social logins are through the Yahoo! service, For those who support Yahoo! as a social identity provider within the Janrain platform, Yahoo! has already alerted any users of your service to change their account credentials within the Yahoo! platform.

Toward a passwordless future

Each time there is a public revelation of a customer data breach, the calls for the death of passwords grows larger. We believe that the ultimate goal for secure authentication is to eliminate passwords entirely, which have become unsafe in their prevalence due to re-use and easy-to-crack values.

As an easy step toward that future, Janrain recommends multi-factor authentication, or one-time code generation for higher account security. Consumer acceptance of a second factor authentication is over 70%, and grows with each new item about account breaches.

Eventually, the death of passwords come from a combination of all of the factors that can be used to determine someone is who they say they are, without the user having to do anything. That will look like a combination of behavioral and profile things like keystrokes, location, device features, etc., that all point to whether this person  is legitimate. If they fall below a certain level of certainty, then things like bio or passwords can be employed to re-establish identity. As a bonus, these mechanisms are more secure while also enhancing usability.

How we stay secure

We believe that security questions, one of the data sources breached at Yahoo!, are inherently insecure and should be avoided, as they are not a recommended security practice. The security questions were not encrypted, allowing hackers access to customer data across multiple sites. Encryption of all customer data is critical to keeping customer data secure.

We can expect in the aftermath of this breach that customer account security measures will be especially scrutinized in every enterprise organization. Janrain’s approach, which has been lauded by third party auditors, has a cross-company, formal program of practices designed to secure our clients’ information and effectively address and communicate security concerns.

We are committed to keeping our clients and their customers secure. You can learn more about our security and privacy practices here.