Connect with us

Hi, what are you looking for?



The Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & Equifax

Until quite recently, people believed that a dizzying one billion accounts were compromised in the 2013 Yahoo! breach… and then it was revealed that the real number is about three billion accounts. 

That raises the question: so what? Isn’t all the damage from a four-year-old breach already done?

Until quite recently, people believed that a dizzying one billion accounts were compromised in the 2013 Yahoo! breach… and then it was revealed that the real number is about three billion accounts. 

That raises the question: so what? Isn’t all the damage from a four-year-old breach already done?

The answer: not at all. For those who have taken control of the compromised accounts, or who possess confidential information about a billion or more individuals, the Yahoo! breach is the gift that will keep on giving.

First of all, the consequences of the breach are not yet fully realized. Criminals have only recently started using compromised email accounts to spread ransomware and spam. As email service providers increasingly use the age of the sending account as an indicator of risk, the value to criminals of long-established but compromised accounts has started to increase. These accounts become a circumvention strategy for criminals wishing to reliably deliver malicious emails. As the value of an established account goes up, the damage that can be done by using the compromised accounts does, too. 

Second, criminals have only recently started to mine the contents of compromised accounts to identify promising opportunities – but that is increasingly happening now, and is becoming another source of value to the Yahoo! attackers (and anybody who has already purchased compromised accounts from them.) To a large extent, we are still in the “manual effort” phase of this type of attack, wherein attackers have not yet understood exactly what they are looking for, and therefore, have not yet written scripts to automate the task. Once their understanding matures and they automate the process, the vast volumes of compromised accounts will turn into new criminal opportunities. 

And the automated extraction of meaningful content will dramatically increase the yield of the attacks that the criminals will be able to mount. Think of it like this: if your account was compromised, and a good friend or colleague gets an email from you … or rather, your email account … with a malicious attachment, will they open it? If the email is obvious spam, they probably won’t, but if the message makes sense, they will; and if the attacker knows what you and your contact normally talk about, that isn’t difficult to do.

There is also a multiplier effect as the number of major breaches of consumer data rises.

In the recent Equifax breach, criminals made off with information for more than 145 million Americans, including names, mother’s maiden names, social security numbers, addresses, birthdays, and more. But not email addresses, and not banking affiliations and account numbers. A crafty attacker can easily match the names and birthdays of the Equifax breach to the names and birthdays of the Yahoo! breach, automatically generating very powerful combinations. With this combined intelligence, the attacker can contact banks, posing as banking customers, and gain access to accounts. 

Advertisement. Scroll to continue reading.

If you still think “so what?”, I have news for you. This could be your ruin, even if you have no money in your bank account. 

Here is what could happen: The criminal adds himself to your bank account. Now he can withdraw money from the account. Then he deposits a large – albeit forged – check, say $100,000. According to banking regulations, 50% of the deposited amount must be available to account owners within three days, which is when the criminal withdraws $50,000 from your/his account. When the check bounces, that is your problem. It is your account, and you may be liable for the entire amount, depending on the policies and discretion of the individual bank. But this is just an example, and the criminals have many more opportunities to monetize their bounty, and have years to do so.

While there are no signs today of criminals consolidating and reselling data from different breaches, it is an obvious concern as the value-add of the packaging would be substantial.

When such consolidated breach data eventually hits the black market–and this is only a matter of criminal initiative, as all the data is out there– then new and more targeted attacks will be enabled on a large scale. By then, we as a society must be ready to withstand this threat, which comes down to having defenses that do not rely to any extent on the caution of the end user, but which identify and address deception in an automated way. While such systems exist today, the extent to which they are deployed is still very limited.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.