One billion Yahoo user accounts were compromised by hackers in August 2013, the internet giant has confirmed, raising questions about what this latest data breach disclosure means for Verizon’s ongoing bid to acquire the company.
Download this free guide
Disaster recovery and business continuity: Essential guide
Download this e-guide to create a solid DR and BC plan and protect your organisation from negative events.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Bob Lord, chief information security officer (CISO) at Yahoo, outlined details of the breach in a blog post, and confirmed the perpetrators were unknown, but it is thought they may have used “forged cookies” to access user accounts without needing to know their password.
“We believe an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft,” he said.
Speaking to Computer Weekly, Jonathan Care, a research director at market watcher Gartner, said Yahoo’s lack of clarity on this point was troubling.
“The implication is that Yahoo has overly focused on deploying protective technologies, and has not put in place effective analytics, detection and response systems and processes,” he said.
“From what we do know, the attackers made use of cookie masquerading, pass-the-hash and a state-sponsored actor. This gives strength to the importance of a strong detection plan.”
Breaking the news of the breach
The incident came to light after US law enforcers shared files with the company that a third-party claimed contained Yahoo user data.
“We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” said Lord.
“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
The compromised data did not contain passwords in clear text or any financial information belonging to users, Lord added.
“We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords,” he said. “We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account.”
This latest breach comes several months after Yahoo revealed details of another historic attack on its systems, dating back to 2014, which led to the personal details of at least 500 million users becoming exposed.
At the time, the incident was reported to be the largest publicly reported breach of its kind, but the August 2013 one is understood to be considerably bigger.
In the blog post, Lord said the company had reason to believe the August 2013 hack was “distinct” from the 2014 incident.
After news of the 2014 hack broke, Yahoo confirmed some staff knew about it several years before details were publicly disclosed, and acknowledged that it could lead to Verizon withdrawing its $4.83bn bid to acquire the company.
In light of its latest disclosure, questions are now being raised about how the news may affect the deal, given Verizon went on record in October 2016 to say the previous breach could pave the way for it to drop its bid.
Paul Glass, a partner in the data protection team at law firm Taylor Wessing, said – at the very least – the latest breach would have a “significant impact” on the deal’s value.
“The scale of the two breaches, coupled with what they appear to show about Yahoo’s approach to security, will surely add even more weight to Verizon significantly lowering the purchase price,” he said.
“It also emphasises the importance of purchasers understanding the security risks of target businesses and building in contractual mechanisms to adjust the price, or even allow them to walk away from the deal if breaches like these come to light before completion.”
Gartner’s Care backed this view, pointing to the downward impact the news of the breach has already had on Yahoo’s stock price.
“It’s clear that there will be an impact on the proposed acquisition, and the markets are reacting to the news. It is disturbing that it has taken so long for the breach to be made public in the light of the data breach notification laws in the US and elsewhere,” he said.
“Clearly, the upshot of this is that we need to realise that it’s no longer a case of ‘if we’re targeted or unlucky’, but that we are all targets.”