Widespread Data Hacks Need to Serve as a Reminder to Strengthen Employee Email and Password Policies


By: Melissa A. Santalone

With its second, large-scale hack announced on December 14, which this time reportedly compromised more than 1 billion user accounts, Yahoo’s latest cybersecurity conundrum should serve as a reminder to organizations large and small that strong employee email policies are needed to protect confidential and sensitive data. The most recently announced hack into Yahoo’s user accounts, the second announced in the last in 4 months, reportedly exposed the account information of 150,000 government and military employees, including information such as the employees’ names, passwords, phone numbers, birthdates, security questions, and back-up email addresses. These government and military employees provided Yahoo with their official work email addresses as back-ups in case they were ever locked out of their Yahoo accounts.  With this hack, a “hit list” of these official email addresses can be compiled to launch targeted hacking attempts on known government and military accounts in an attempt to obtain sensitive information. While the stolen passwords may be subject to at least some encryption, a real risk of compromise exists to government and military email accounts if the users of those accounts happen to use the same passwords for both their Yahoo and work email accounts.

While the latest Yahoo hack again highlights the potential pitfall of employees using work email addresses in their personal lives, this issue has been raised before in the hacks of user accounts with Ashley Madison and LinkedIn, among others.  In both those hacks, user email addresses were exposed and many of those addresses were corporate email accounts. When the passwords associated with the Ashley Madison or LinkedIn profiles were also exposed and the users reused those same passwords for their corporate accounts, hackers may have gained easy access into corporate emails and possibly even corporate computer systems.

Remember, to some degree, your organization’s cybersecurity is only as strong as your employees’ weakest password. Thus, in order to better protect your organization, you can:

  • Set a policy prohibiting employees from associating their work email accounts with any external services, whether as the primary login or even if just as a back-up email account for recovery purposes;
  • Establish and enforce password policies for all of your corporate user accounts (emails, network logins, etc.) which impose minimum password strength requirements and the resetting of passwords after a short, fixed time period, such as 90 days; and
  • Educate your employees about the risks posed by password reuse across various accounts and require them to use unique passwords for their work accounts that are not use with any other personal account.

For help in drafting or reviewing cybersecurity policies to protect your organization, please contact one of the attorneys in our Cyber Liability, Data Security & Privacy team.