That's because multiple other sites - including Dropbox, LinkedIn, MySpace and Tumblr - also were either greatly delayed in discovering they'd been breached or they dramatically underestimated how badly they'd been breached, notes Sullivan, who's a security adviser at Finnish security firm F-Secure.
Sullivan adds that it's quite likely that Yahoo wouldn't have fallen a victim to such an attack, or at least a breach of this severity, if it were to be targeted today, thanks to security changes put in place since 2014. "The revelations from some of the documents that Edward Snowden ... disclosed really kind of woke up Silicon Valley to securing their systems not just from outside threats, but also from internal [threats]," he says. Snowden-related leaks began in 2013, which was the same year that a watering hole attack against the popular iPhoneDevSDK site for iOS developers led to the compromise of Apple, Facebook, Microsoft and Twitter, among others.
Those incidents were a wake-up call for technology firms to better secure their data, and Sullivan says that subsequently, Yahoo began using better encryption for its passwords, offering users two-factor authentication and encrypting users' security questions and answers.
In this audio interview with Information Security Media Group, Sullivan also discusses:
- The timing of Yahoo's breach disclosure, vis-à-vis its related digital forensic investigation;
- Why organizations such as Yahoo, post-Snowden, are likely better equipped to prevent these types of breaches;
- Password hygiene best practices, both for organizations that store passwords as well as users who pick them.
Sullivan is a security adviser at Helsinki, Finland-based security firm F-Secure.