Yahoo on Thursday confirmed a massive data breach, in which it said a “state-sponsored” hacker broke into the internet company’s systems and stole personal information for at least 500 million user accounts — the biggest such theft of user data from a single entity to date.
The user-account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases encrypted or unencrypted security questions and answers, according to Yahoo. The data was stolen from the company’s network in late 2014, Yahoo said, which did not provide an explanation for why it has taken two years to report the incident. It didn’t identify the country it believes was behind the attack.
What the disclosure means for Verizon’s pending $4.8 billion deal to acquire the core web businesses of Yahoo is not immediately clear, but according to Verizon it was not apprised of the severity of the breach until this week.
Verizon, in a statement, said it was notified of Yahoo’s security breach in the last two days. “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” the telco said. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”
The Yahoo announcement came after Vice’s Motherboard reported in August that a hacker known as “Peace,” who is believed to be a Russian cybercriminal, was advertising the sale of 200 million Yahoo user accounts in a black-market online forum for about $1,860 worth of Bitcoin. At the time, Yahoo said it was investigating the claims. Recode reported early Thursday that Yahoo was expected to confirm the data breach this week.
Regardless of how it affects the outcome of Verizon’s planned acquisition, the enormous security breach will stand as a disastrous bookend to the tenure of CEO Marissa Mayer.
Mayer, a former top Google exec hired four years ago to much fanfare, failed to turn around Yahoo’s core search and advertising business. Mayer and Yahoo’s board eventually bowed to investor pressure to sell its operating businesses (excluding its stakes in Alibaba Group and Yahoo Japan), and initiated an auction process earlier this year. Verizon emerged as the winning bidder in July and the telco has outlined plans to merge Yahoo’s web operations with AOL, which it acquired last year for $4.4 billion.
In announcing the breach, Yahoo said it was working with law-enforcement officials on investigating the incident. According to the company, based on what it has learned so far, none of the stolen information included unprotected passwords, payment-card data, or bank-account information.
“Yahoo is notifying potentially affected users and has taken steps to secure their accounts,” the company said. “These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.”
Security and legal experts said Yahoo’s costs associated with the attack could run into the tens of millions of dollars. The incident is likely to prompt class-action lawsuits and could even scuttle the Verizon acquisition.
Given that the breach occurred in 2014 and Yahoo did not properly communicate or manage it, Verizon may seek to nullify or renegotiate the deal, said Corey Williams, senior director of products and marketing at security vendor Centrify. “This is less of a story about 500 million user accounts being stolen and more about how lax security and poor handling of incidents can impact the very existence of a company,” he said.
Yahoo, which reaches some 1 billion users around the world, has posted a frequently asked questions document on its website about the breach. The company also is encouraging users to use Account Key, an authentication tool for its email app that associates a Yahoo account with a specific device to eliminate the need for a password.
As part of responding to the incident, Yahoo has enlisted New York-based communications firm Joel Frank, which specializes in crisis PR.