Here we go again…

Another day, another breach settlement announced and another cyber risk sh*t show hit the Internet.

What this time?

The Yahoo Breach Settlement has just been announced and details emailed to those who may be eligible for some form of compensation or protection. The website for the settlement is www.yahoodatabreachsettlement.com. Two really simple security measures could have been put in place by the administrators to protect against cybercrime but neither of these has been done at the time of writing this post (18^th Sept 2019).

These are:

1. 1. Protect the email domain being used so it isn’t spoofable and can’t be impersonated. There are NO SPF or DMARC records in place for @yahoodatabreachsettlement.com so it is wide open to being convincingly and almost undetectably spoofed by anyone.
   2. Try and make the domain you have registered hard to imitate for hosting fake versions of the settlement websites. Incidentally having a long domain name is easier to spoof, this one is 25 characters long which makes impersonation using homoglyphs (see https://en.wikipedia.org/wiki/Homoglyph ) quite easy e.g yahoodátabreachsettlement.com but also no one has thought to simply register the .net, .org. of this domain to protect it.

So once again open season is declared for anyone wanting to attempt to defraud the millions of people who think they may have a right to claim as a result of this breach.