Yahoo claims "state-sponsored" hackers stole information
from around 500 million users in what has been called the
largest publicly disclosed cyber attack in history.
Hackers accessed swathes of personal data including names,
emails and "unencrypted security questions and answers" in the
attack, which took place in late 2014.
Following an investigation by the content giant, which is
set to be acquired by Verizon in a deal worth $4.8 billion,
Yahoo disclosed the attack, which it says did not include
unprotected passwords, payment card data, or bank account
A statement from Yahoo said: "A recent investigation by
Yahoo has confirmed that a copy of certain user account
information was stolen from the company’s network
in late 2014 by what it believes is a state-sponsored
"Based on the ongoing investigation, Yahoo believes that
information associated with at least 500 million user accounts
was stolen and the investigation has found no evidence that the
state-sponsored actor is currently in Yahoo’s
network. Yahoo is working closely with law enforcement on this
The content provider said it is beginning to affect impacted
users via email, asking potentially affected users to change
their passwords and adopt alternate means of account
The disclosure of the hack throws up questions around the
future of Verizon’s acquisition, announced in
July, according to Varonis VP of strategy and market
development David Gibson.
He said: "It’s hard to say for sure whether the
breach will upset the pending acquisition by
Verizon—publishers of the renowned yearly Data Breach
Investigation Report—but it certainly could. If
witnessing a data breach capsizes a $4.8 billion acquisition
doesn’t shock CEOs and CSOs into investing more in
security, what will?
"There will certainly be financial repercussions for Yahoo!,
if not by way of fines and lawsuits, certainly in terms of time
and effort to recover, perform an investigation, and further
invest in bolstering security."
Mark Skilton, a professor of practice at Warwick Business
School I the UK, said the hack could provide a "significant
headache for Verizon in its planned imminent takeover of
Reports of a cyber attack carried out on Yahoo first emerged
days after the Verizon takeover had been announced, with a post
on Motherboard claiming that a hacker was "advertising 200
million of alleged Yahoo user credentials on the dark web." It
is unclear if this alleged hack is the same as the one
announced by Yahoo yesterday (22 September).
In Verizon’s takeover agreement, dated 23 July
2016 and uncovered by Fortune, a paragraph relates to what
Yahoo knew and when it knew it.
"To the Knowledge of Seller, there have not been any
incidents of, or third party claims alleging, (i) Security
Breaches, unauthorized access or unauthorized use of any of
Seller’s or the Business
Subsidiaries’ information technology systems or
(ii) loss, theft, unauthorized access or acquisition,
modification, disclosure, corruption, or other misuse of any
Personal Data in Seller’s or the Business
Subsidiaries’ possession, or other confidential
data owned by Seller or the Business Subsidiaries (or provided
to Seller or the Business Subsidiaries by their customers) in
Seller’s or the Business
Subsidiaries’ possession, in each case (i) and
(ii) that could reasonably be expected to have a Business
Material Adverse Effect."
Verizon has confirmed it was only informed of the breach
within the last two days, and said it would "evaluate as the
If the attack described by Motherboard is the same one, this
timeframe means either Yahoo failed to inform Verizon prior to
the agreement, potentially making it in breach of the paragraph
above, or learned of the attack after 23 July but before 1
August, when Motherboard published the post. At the time, Yahoo
told Motherboard it was "aware" of the claims.
If the deal with Verizon were to fall through, that could
open the door for other potential bidders, such as rival
AT&T, who was linked with a takeover prior to the Verizon
AT&T itself was subject to a hack in 2014, which
resulted in the Federal Communications slapping it with a
record-breaking $25 million fine. 280,000 customers' names,
full or partial Social Security numbers, and account-related
data were accessed in the attack.
Numerous security experts said the breach of
Yahoo’s should set "alarm bells ringing" for
businesses around the globe.
Cyber security experts Certes VP EMEA Paul German said:
"Even heavyweights like Yahoo and LinkedIn have a problem
protecting consumer data, pointing to an inherent flaw in the
way cyber security is being approached.
"The problem lies in the face that once hackers cross a
company’s carefully laid out cyber defences, the
network, and the treasure trove of data within it, is their
oyster. Moving laterally, they are able to siphon off huge
swathes of valuable information difficulty until they are
detected, often months after the initial breach.
"The problem lies in the current cyber security model which
takes a, 'protect’, 'detect’,
'react’ approach. There is a significant lag
between the protection being sidestepped and the criminal being
detected. Currently this leaves a hacker free rummage through a
company’s most sensitive data, wreaking havoc.
There is a fundamental step missing – at whatever
point a hacker enters a network they must be contained,
restricting the data they can access and the damage they can
inflict before they are detected."
ESET security specialist Mark James added: ""500million
accounts is huge by any standards, we sometimes get a little
blasé as the numbers get higher but let’s
not make any mistakes here, that’s a lot of
customers’ information stolen here.
"Data breaches are on the up, it’s almost a
daily occurrence but the damage it causes is massive. The data
may be used for immediate financial gain or used later along
with more information to enable identity theft or phishing
attacks either way it could be very damaging for the
"As Verizon are about to buy Yahoo, they will have to
consider the backlash of future issues with compromised account
data. Because the ramifications of data breaches are often felt
in the future they will have to consider the implications of
any customers who can prove identity issues caused as a result
of this particular breach if they are the new owners."