You will be redirected back to your article in seconds

Yahoo Says Hacker Stole Data on At Least 500 Million User Accounts

Massive security breach may have implications for Verizon's pending $4.8 billion deal for Yahoo

Yahoo on Thursday confirmed a massive data breach, in which it said a “state-sponsored” hacker broke into the internet company’s systems and stole personal information for at least 500 million user accounts — the biggest such theft of user data from a single entity to date.

The user-account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases encrypted or unencrypted security questions and answers, according to Yahoo. The data was stolen from the company’s network in late 2014, Yahoo said, which did not provide an explanation for why it has taken two years to report the incident. It didn’t identify the country it believes was behind the attack.

What the disclosure means for Verizon’s pending $4.8 billion deal to acquire the core web businesses of Yahoo is not immediately clear, but according to Verizon it was not apprised of the severity of the breach until this week.

Verizon, in a statement, said it was notified of Yahoo’s security breach in the last two days. “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” the telco said. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”

The Yahoo announcement came after Vice’s Motherboard reported in August that a hacker known as “Peace,” who is believed to be a Russian cybercriminal, was advertising the sale of 200 million Yahoo user accounts in a black-market online forum for about $1,860 worth of Bitcoin. At the time, Yahoo said it was investigating the claims. Recode reported early Thursday that Yahoo was expected to confirm the data breach this week.

Regardless of how it affects the outcome of Verizon’s planned acquisition, the enormous security breach will stand as a disastrous bookend to the tenure of CEO Marissa Mayer.

Mayer, a former top Google exec hired four years ago to much fanfare, failed to turn around Yahoo’s core search and advertising business. Mayer and Yahoo’s board eventually bowed to investor pressure to sell its operating businesses (excluding its stakes in Alibaba Group and Yahoo Japan), and initiated an auction process earlier this year. Verizon emerged as the winning bidder in July and the telco has outlined plans to merge Yahoo’s web operations with AOL, which it acquired last year for $4.4 billion.

In announcing the breach, Yahoo said it was working with law-enforcement officials on investigating the incident. According to the company, based on what it has learned so far, none of the stolen information included unprotected passwords, payment-card data, or bank-account information.

“Yahoo is notifying potentially affected users and has taken steps to secure their accounts,” the company said. “These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.”

Security and legal experts said Yahoo’s costs associated with the attack could run into the tens of millions of dollars. The incident is likely to prompt class-action lawsuits and could even scuttle the Verizon acquisition.

Given that the breach occurred in 2014 and Yahoo did not properly communicate or manage it, Verizon may seek to nullify or renegotiate the deal, said Corey Williams, senior director of products and marketing at security vendor Centrify. “This is less of a story about 500 million user accounts being stolen and more about how lax security and poor handling of incidents can impact the very existence of a company,” he said.

Yahoo, which reaches some 1 billion users around the world, has posted a frequently asked questions document on its website about the breach. The company also is encouraging users to use Account Key, an authentication tool for its email app that associates a Yahoo account with a specific device to eliminate the need for a password.

As part of responding to the incident, Yahoo has enlisted New York-based communications firm Joel Frank, which specializes in crisis PR.

Popular on Variety

More Digital

  • Podium Publishing Taps Scott P. Dickey

    Podium Publishing Taps Scott P. Dickey as Chief Executive Officer

    Independent audiobook publisher Podium Publishing has selected veteran media executive Scott P. Dickey as chief executive officer. Greg Lawrence, former CEO and co-founder,  remains as Podium’s publisher and a member of the board of directors. As CEO, Dickey will set and implement the day-to-day and long-term marketing, production and business strategy for the company as [...]

  • "The Stockholm Syndrome" - Pictured: Rajesh

    Inside the Blockbuster $600 Million 'Big Bang Theory' Streaming Deal With HBO Max

    As one of TV’s most popular shows of the past 20 years, “The Big Bang Theory” was sure to command a huge price when the streaming rights were finally shopped in a red-hot market for iconic comedies with large libraries. But “Big Bang Theory” wasn’t shopped widely on the open market before the streaming pact [...]

  • Mark Zuckerberg Facebook

    Mark Zuckerberg Can Be Overruled by Facebook's New Oversight Board on Content Decisions

    Mark Zuckerberg, chairman and CEO of Facebook, can’t be ousted by investors — he owns a controlling interest in the company’s voting shares. But according to the social giant, the new Oversight Board — colloquially called Facebook’s “Supreme Court” — that it is setting up to adjudicate appeals about whether to leave up or take [...]

  • YouTube - Google UK Offices

    Google Launches Ability to Find Key Moments in YouTube Videos via Search

    Google has introduced a new way to find exact moments in YouTube videos through its search engine, with initial partners including CBS Sports. According to Google, search results now will provide links to key moments within the video — if, that is, YouTube content creators have provided the necessary timestamp information to Google. “You’ll be [...]

  • Spotify logo is presented on a

    Spotify VP Paul Vogel Talks Subscription Prices, Label Licenses, Podcasts

    The annual Goldman Sachs Communacopia Conference gives representatives from major companies the opportunity to present to the investment community, and Paul Vogel, Spotify’s VP and head of financial planning & analysis, treasury and investor relations, spoke on the streaming giant’s behalf on Tuesday morning. While many of his comments were statements frequently heard in the [...]

  • Directv Now

    AT&T Sued for Allegedly Creating Bogus DirecTV Now Accounts

    A group of investors sued AT&T, alleging the telco artificially inflated subscriber counts for its DirecTV Now streaming service — including by creating fake accounts. In the federal class-action lawsuit, the plaintiffs allege that AT&T wanted to make DirecTV Now seem more successful than it actually was as another way to rationalize its $85 billion [...]

  • Streaming Battle: Disney, Apple and More

    The Battle for Eyeballs Makes for an Action-Packed Streaming Arena (Column)

    It came as no surprise last week that Disney CEO Bob Iger had resigned from the Apple board since the two companies are poised to launch competing subscription streaming services in less than two months. But Iger’s departure (announced the same day that Apple revealed its Nov. 1 launch date and $5-a-month price point) underscores [...]

More From Our Brands

Access exclusive content