Today Yahoo Chief Information Security Officer Bob Lord released this – “We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our networks in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt), and, in some cases, encrypted or unencrypted security questions and answers.”
Why should this matter to PeopleSoft customers?
You might think that this wouldn’t affect your organization directly. But you could be horrifyingly wrong. With a US population of a little over 300 million people, you can almost guarantee that a significant number of your end-users have had one of their commonly-used passwords compromised.
The bad guys now have two things that can help them attack your organization (and probably already have since the breach occurred in 2014):
- Knowledge of ID and password combinations that are likely in use at your organization (since you can’t prevent people from re-using passwords across systems)
- Rich repository of passwords people use (500 million). This can be fed into cracking algorithms to shortcut brute force attacks against your PeopleSoft systems
There are a number of things you can do to protect yourself. GreyHeller recommends:
- Immediately require all your users to reset their passwords
- Log all attempted logins from untrusted locations to detect an attack
- Implement 2FA so that a compromised password would have limited value to the bad guys
How can GreyHeller help?
- Engage Greg Wendt, Exec Director Security Solutions, to perform an in-depth Security Readiness Assessment on your PeopleSoft systems. Email us at firstname.lastname@example.org
- Implement our ERP Firewall with Multi-Factor Authentication, Data Masking, Detailed Logging, High Privilege User Access Control and Location-based Access Control. Email us at email@example.com