You will be redirected back to your article in seconds

Yahoo Says Hacker Stole Data on At Least 500 Million User Accounts

Massive security breach may have implications for Verizon's pending $4.8 billion deal for Yahoo

Yahoo on Thursday confirmed a massive data breach, in which it said a “state-sponsored” hacker broke into the internet company’s systems and stole personal information for at least 500 million user accounts — the biggest such theft of user data from a single entity to date.

The user-account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases encrypted or unencrypted security questions and answers, according to Yahoo. The data was stolen from the company’s network in late 2014, Yahoo said, which did not provide an explanation for why it has taken two years to report the incident. It didn’t identify the country it believes was behind the attack.

What the disclosure means for Verizon’s pending $4.8 billion deal to acquire the core web businesses of Yahoo is not immediately clear, but according to Verizon it was not apprised of the severity of the breach until this week.

Verizon, in a statement, said it was notified of Yahoo’s security breach in the last two days. “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” the telco said. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”

The Yahoo announcement came after Vice’s Motherboard reported in August that a hacker known as “Peace,” who is believed to be a Russian cybercriminal, was advertising the sale of 200 million Yahoo user accounts in a black-market online forum for about $1,860 worth of Bitcoin. At the time, Yahoo said it was investigating the claims. Recode reported early Thursday that Yahoo was expected to confirm the data breach this week.

Regardless of how it affects the outcome of Verizon’s planned acquisition, the enormous security breach will stand as a disastrous bookend to the tenure of CEO Marissa Mayer.

Mayer, a former top Google exec hired four years ago to much fanfare, failed to turn around Yahoo’s core search and advertising business. Mayer and Yahoo’s board eventually bowed to investor pressure to sell its operating businesses (excluding its stakes in Alibaba Group and Yahoo Japan), and initiated an auction process earlier this year. Verizon emerged as the winning bidder in July and the telco has outlined plans to merge Yahoo’s web operations with AOL, which it acquired last year for $4.4 billion.

In announcing the breach, Yahoo said it was working with law-enforcement officials on investigating the incident. According to the company, based on what it has learned so far, none of the stolen information included unprotected passwords, payment-card data, or bank-account information.

“Yahoo is notifying potentially affected users and has taken steps to secure their accounts,” the company said. “These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.”

Security and legal experts said Yahoo’s costs associated with the attack could run into the tens of millions of dollars. The incident is likely to prompt class-action lawsuits and could even scuttle the Verizon acquisition.

Given that the breach occurred in 2014 and Yahoo did not properly communicate or manage it, Verizon may seek to nullify or renegotiate the deal, said Corey Williams, senior director of products and marketing at security vendor Centrify. “This is less of a story about 500 million user accounts being stolen and more about how lax security and poor handling of incidents can impact the very existence of a company,” he said.

Yahoo, which reaches some 1 billion users around the world, has posted a frequently asked questions document on its website about the breach. The company also is encouraging users to use Account Key, an authentication tool for its email app that associates a Yahoo account with a specific device to eliminate the need for a password.

As part of responding to the incident, Yahoo has enlisted New York-based communications firm Joel Frank, which specializes in crisis PR.

More Digital

  • Murder Mystery

    Netflix Reveals Record-Breaking Stats for Sandler-Aniston 'Murder Mystery' Flick

    “Murder Mystery,” the latest Adam Sandler film to debut on Netflix, broke viewing records on the streaming service, the company revealed Tuesday. The film, which is co-headlined by Jennifer Aniston, was seen by close to 30.9 million households in its first 3 days, according to a tweet sent out Tuesday afternoon. 🚨ADAM SANDLER AND JENNIFER [...]

  • Charles Caldas To Step Down as

    Charles Caldas To Step Down as Merlin CEO

    Charles Caldas, the only CEO that the independent-label collective Merlin has ever known, announced today that he will step down from his post at the end of 2019, after more than 12 years at the helm of the global rights organization. He will continue his current duties until then and work with the Merlin board to [...]

  • Vice Media Digital Makeover Triggers Traffic

    Vice Media Digital Makeover Triggers Traffic Slide

    Life on its own online isn’t easy for Vice Media. Ending the digital publisher’s controversial practice of rolling up web traffic for partner sites into an aggregated number resulted in the total domestic traffic falling nearly by half between March 2019 and the following month, according to Comscore. The numbers improved slightly for May, when [...]

  • Merlin Reports Record Distributions for 2019

    Merlin Reports Record Distributions for 2019

    Global indie-label collective Merlin reported record distributions in its 2019 membership report, paying $845 million to label and distributor members between April 2018 and March of this year. That figure, a 63% year-over-year increase, includes more than $130 million paid out this year from non-royalty income — and included in that figure is the estimated [...]

  • Sarah Iooss - Twitch

    Twitch Hires Sarah Iooss, Former Mic and Viacom Exec, as Head of North America Sales

    Twitch has tapped Sarah Iooss, most recently EVP of revenue at millennial-news startup Mic, to lead the advertising sales team in North America for the Amazon-owned live-streaming video platform focused on video gaming. Iooss will be based in New York, reporting to chief revenue officer Walker Jacobs, who joined Twitch last fall after serving as [...]

  • Calibra app

    Spotify: Facebook's Libra Cryptocurrency Will Help Subscription Services

    When Facebook officially announced its plans for a new cryptocurrency called Libra Tuesday, it also revealed that Spotify was part of a consortium of companies called the Libra Association that is backing the project. The music service hopes that digital money can help subscription services sign up new customers. “One challenge for Spotify and its [...]

  • And Then We Danced

    Swedish Outfit French Quarter Steps Into TV With Graphic Novel Adaptation

    Swedish production company French Quarter, the outfit behind Cannes Directors’ Fortnight entry “And Then We Danced,” is venturing into TV with a web series adapted from Henrik Bromander’s graphic novel “Kurs I självutplåning” (“Course in self-annihilation”). The comedy series has been commissioned by the Swedish broadcaster SVT, as first reported by Nordic Film & TV [...]

More From Our Brands

Access exclusive content