More accurately, Yahoo is the largest publicly disclosed data breach in history. I've been waiting for the news to simmer down a bit before chiming in - and glad I did, as new developments and revelations have mounted. According to a Computer Business Review story, Yahoo has confirmed that state-sponsored hackers stole data from 500 million Yahoo account users.
The rumors have been swirling since summer, when Yahoo confirmed it was investigating a breach in which hackers said they had compromised over 200 million user accounts. A hacker named "Peace" said that the stolen information was being sold on the Dark Web, with credentials going for over $1,800.
200 million was a bad dream, but in fact Yahoo confirmed that 500 million accounts were stolen from the company's network in late 2014. In investigation one breach, did Yahoo discover another? As yet, we do not know.
The account information included names, emails, telephone numbers, date of births and hashed passwords. The ongoing investigation by Yahoo suggests that unprotected passwords, bank account information and payment card data were not affected in the hack. Although Yahoo is confident that the hacker is not currently in Yahoo's network, it did say that it believes the attack to have been perpetrated by a state sponsored hacker.
Critics pointed to Yahoo's slow response and its failure to immediately encourage customers to change their passwords. There seems to be a major concern that some of the compromised account information included encrypted or unencrypted security questions and answers. This could be one of Yahoo's biggest failures in the security breach, since security questions usually contain highly sensitive information such as maiden names.
"The elephant in the room is Yahoo's admission that 'encrypted or unencrypted security questions and answers' might be amongst the hackers haul," said Alex Matthews at Positive Technologies. "If the investigation determines that this extremely sensitive information were stored unencrypted then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers."
Yahoo has taken steps to invalidate unencrypted security questions and answers so they cannot be used to access an account. This is just one measure recommended by Yahoo to users, which also tells users to change passwords, look for suspicious account activity and be wary of unsolicited communications or clicking suspicious links. Good advice, but a tad late.
As Yahoo prepares for a $4.8 billion sale of its core business to Verizon, will this breach have an impact? Government investigations, legal action, compensation and bad press will not only tarnish the Yahoo brand, but will also cause concern among shareholders about the price of transaction in the Verizon deal.
Already in the midst of a fire sale, might the 2014 breach, which clearly wasn't properly handled or communicated, give Verizon an out or a reason to renegotiate? Maybe. Did Yahoo know more than it told Verizon during the course of the negotiations? Not yet clear.
Two Yahoo users in San Diego, California, filed last Friday a class-action claim against Yahoo accusing it of failing to take due care of sensitive information under the Unfair Competition Act and the state's Consumer Legal Remedies Act, plus negligence for its poor security, and violating the provisions of the Federal Stored Communications Act.
It is possible that hundreds of cases may be filed and then consolidated into one federal class action suit.
The bean counters at Verizon have got to be recalculating the net worth of Yahoo at this point - and perhaps calculating escape routes from the negotiated price - or even the deal itself.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology