By Kate Higgins
A leading cyber security expert has warned there’s nothing end-users can do about a massive data breach that may have affected more than 1 billion Yahoo accounts.
The beleaguered internet giant says it believes hackers have stolen data from the accounts in a breach dating back to August 2013, believed to be the largest attack on an email provider ever.
It’s not good news for the company, which is the subject of a $4.8 billion takeover bid by communications behemoth Verizon, and was also the target of another breach in 2014 — believed to be separate— which exposed 500 million accounts
Customers have been advised to change their passwords and invalidate their security questions, but cyber security expert Bill Caelli, a Emeritus Professor at the Queensland University of Technology’s Science and Engineering Faculty, says that at the end of the day, those precautions could be of little use.
So are you ready for the bad news?
When it comes to a cyber attack, “there’s nothing the end-user can do,” Professor Caelli says.
“It’s got nothing to do with the end user, mum and dad, the personal user. That’s why it’s very frustrating.”
Yahoo says users’ names, email addresses, phone numbers, birthdays and security questions and answers may all have been accessed by the attackers, but that bank account and payment data should be safe.
Passwords should also be protected by two levels of encryption, the company says.
But Professor Caelli says there’s no real way to know how far hackers have infiltrated a system and that they could stay hidden long after account passwords and security questions had been changed.
“If they penetrate the system, they often leave a time bomb behind … and that can explode whenever they want it to.”
Will everyone leave Yahoo en masse?
Professor Caelli says there is not much data on how consumers behave after a hack.
But, one thing is for sure — it’s not a quick task to migrate an email account.
In addition to changing all of your accounts and subscriptions that may use your email address, you have to wade through correspondence that could date back decades.
“You have to open up [a new email account] … and not close down your Yahoo account and email all your past stuff [to your new account],” Professor Caelli says.
“If you’ve been with Yahoo for the past 10 years, you get the idea.
“[People say] ‘it’s alright, just change over if you don’t like it’ — it’s not that easy.”
Who’s responsible for cyber security?
Professor Caelli believes the responsibility for protecting internet users falls squarely at the feet of regulators.
He says the Government should make companies liable for the protection and security of their information systems.
“You buy a car, you’re subject to the Motor Vehicle Standards Act … An IT system? It’s ‘she’ll be right, don’t worry about it’,” he says.
He said he did not believe companies would take up the challenge off their own bats.
“When you’re doing consultancy in cyber security [you get asked two questions],” he says.
“‘What’s our legal responsibility?’ and ‘can we go to jail if something goes wrong?’ If the answer is ‘no’ to both of those, then cyber security is just an extra cost.”
The Australian Government isn’t having its best year in the cyber sphere.
A report released this year by the Australian Centre for Cyber Security warned the country’s cyber security capabilities were “badly lagging” and called for a “rapid catch-up … for military security in the information age”.
And then there was the #censusfail
Is the worst still to come?
“We have a society so utterly and totally dependent [on technology],” Professor Caelli warns. And that could have dire consequences.
“We’re coming into the ‘internet of things’ … when your lightbulbs are hooked up to the internet,” he says.
“Imagine that your refrigerator is hooked up and about the safety and security of that.
“Yahoo is just a forerunner of what can become worse in 2017.”
This post originally appeared on ABC News.
© 2016 Australian Broadcasting Corporation. All rights reserved. Read the ABC Disclaimer here.