- Emergency Consultation Services
- Risk Management Services
- Who We Are
- Our People
- What We Do
- Why We Are Different
- What’s New
- Where We Are
With its second, large-scale hack announced on December 14, which this time reportedly compromised more than 1 billion user accounts, Yahoo’s latest cybersecurity conundrum should serve as a reminder to organizations large and small that strong employee email policies are needed to protect confidential and sensitive data. The most recently announced hack into Yahoo’s user accounts, the second announced in the last in 4 months, reportedly exposed the account information of 150,000 government and military employees, including information such as the employees’ names, passwords, phone numbers, birthdates, security questions, and back-up email addresses. These government and military employees provided Yahoo with their official work email addresses as back-ups in case they were ever locked out of their Yahoo accounts. With this hack, a “hit list” of these official email addresses can be compiled to launch targeted hacking attempts on known government and military accounts in an attempt to obtain sensitive information. While the stolen passwords may be subject to at least some encryption, a real risk of compromise exists to government and military email accounts if the users of those accounts happen to use the same passwords for both their Yahoo and work email accounts.
While the latest Yahoo hack again highlights the potential pitfall of employees using work email addresses in their personal lives, this issue has been raised before in the hacks of user accounts with Ashley Madison and LinkedIn, among others. In both those hacks, user email addresses were exposed and many of those addresses were corporate email accounts. When the passwords associated with the Ashley Madison or LinkedIn profiles were also exposed and the users reused those same passwords for their corporate accounts, hackers may have gained easy access into corporate emails and possibly even corporate computer systems.
Remember, to some degree, your organization’s cybersecurity is only as strong as your employees’ weakest password. Thus, in order to better protect your organization, you can:
For help in drafting or reviewing cybersecurity policies to protect your organization, please contact one of the attorneys in our Cyber Liability, Data Security & Privacy team.