1bn accounts at risk in another Yahoo hack

James Pearce
Published on:

More doubt has been cast over Verizon's proposed takeover of Yahoo as it revealed up to 1bn accounts had been accessed in 2013 attack

Verizon’s acquisition of Yahoo could face further setbacks after the internet giant admitted to another data breach that may have affected up to one billion users.

The hack is believed to have occurred in 2013 and Yahoo said it was unrelated to a 2014 breach disclosed in September which left 500 million user accounts exposed.

Following that disclosure, reports claimed Verizon was looking to negotiate a discount on its $4.8 billion takeover, with its valuation dropping up to 20% in the aftermath.

Yahoo said customer names, phone numbers, passwords and email addresses were stolen in the 2013 breach, but not bank and payment data.

Yahoo said it "believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts".

The breach is one of the largest hacks ever disclosed, but Verizon has continued with the stance it took following the previous revelations.

A statement issued by the company said it continues to work towards integration with Yahoo, adding: "As we've said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions.”

However, the Wall Street Journal quoted an unnamed Verizon source as saying “all options were on the table” including renegotiating the price or terminating the deal all together.

Experts have blasted the internet search giant for being hit by two of the largest recorded hacks in history within a year of each other.

Paul German, CEO at encryption specialists Certes, said the latest revelations brings Yahoo’s attitude to cyber security into question.

“Yahoo is relying on an outdated cyber security model which takes a, ‘protect’, ‘detect’, ‘react’ approach which simply does not work. The problem lies in the fact that once inside a network, there is a significant delay before a hacker is detected, leaving them free to move uninhibited, accessing vast quantities of sensitive data and wreaking havoc.  

“There is a fundamental step missing – damage limitation. At whatever point a hacker enters a network they must be contained, restricting the data they can access and the damage they can inflict before they are detected. 

“This obvious step is missing from the cyber security strategies of some of the world’s biggest organisations and is the reason we are seeing hacks that affect consumers on such a massive scale. However, by looking to approaches such as cryptographic segmentation to contain a threat, businesses can ensure a hacker cannot roam freely across its network, significantly limiting the impact of an attack.”