Share

Yahoo breach may be for intel not riches

As a result of the company’s “failure to establish and implement basic data security protocols, contrary to Yahoo’s guarantees, its users’ personal information is now in the hands of criminals and/or enemies of the U.S.”, according to the latest complaint, filed Friday in federal court in San Jose, California.

Advertisement

In the wake of Yahoo confirming that at least 500 million its user accounts were stolen in 2014 by “state-sponsored” hackers, Sky Broadband and BT are both warning their customers that some them may have been affected as both companies use Yahoo for their respective email platforms.

How to protect your account: Yahoo said it had begun notifying potentially affected users.

An apparent breach was first disclosed to Yahoo by Motherboard reporter Joseph Cox on July 30, who wrote of the dataset being sold on a dark web marketplace on August 1.

In 2014, Yahoo also investigated attacks by Russian hackers that targeted dozens of private Yahoo accounts, one person with knowledge of Yahoo’s investigation said, but it is not yet clear whether the same hackers were behind the larger hack. “The attack came from what is believed to be a State-sponsored actor”.

“It’s a massive black eye for Yahoo and its brand”, said Patrick Moorhead, an analyst and consultant at Moor Insights & Strategy. “Yahoo was so grossly negligent in securing its users’ personal information that it says that it did not even discover the incident until the summer of 2016”, the complaint states. While the hack may not have affected more sensitive data such as unprotected passwords, credit card data or bank account information, the leaked data could still allow outsiders to access user accounts. According to a press release posted on Yahoo’s investor relations page, the information theft “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers”. A statement issued by Verizon, meanwhile, was terse and seemed meant to distance the company from its would-be acquiree: “Within the last two days, we were notified of Yahoo’s security incident”.

Yahoo is being criticized for more than pointing fingers, however. Verizon is expected to tap into that user base and the advertising opportunities it offers to fuel new growth as its own mobile services business continues to shift.

We are recommending that all users who haven’t changed their passwords since 2014 do so.

Mark James, of internet security company ESET, said: “As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data”. They have breached law firms and accounting firms, and past year they even made off with flight records for millions of United Airlines passengers. A third of them said they use the information provided to decide whether to proceed with deals, and a fifth of them said they use evaluations as a pretext to renegotiate prices.

It should not be ruled out that the timing of the hacking report is related to the pending purchase of Yahoo by Verizon for almost $5 billion.

Advertisement

Roger Kay of Endpoint Technologies Associates said Verizon was effectively blindsided by the news of the hack, and may think twice about proceeding with the deal, given the liabilities it may inherit. The only thing that’s certain, he said, is Yahoo will not be the last company to experience a hack of this scale. The reason they have value is that people use the same password for multiple sites.

Email hack could be 'existential crisis' for Yahoo