When it’s all said and done, Verizon might get Yahoo’s internet properties for a lot less than the originally agreed upon $4.8 billion. After revelations in September of a previously undisclosed hack the compromised 500 million accounts in 2014, Yahoo admitted yesterday that an unrelated security breach in 2013 affected over 1 billion accounts.
Yahoo revealed the 2013 hack in a press release issued yesterday. The relevant part for those potentially affected reads, “the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.” In short, if your Yahoo password is the same now as it was in 2013, chances are pretty good that you should change it now. Then again, with Yahoo’s security track record, you might want to go change it regardless.
While financial information appears to have been kept secure, compromised passwords can be a huge security problem, particularly for those who use the same or similar passwords for many of their online accounts. The scale of the breach is unprecedented, with the caveat that very few internet companies have 1 billion accounts that can be compromised in the first place.
The most alarming part is that Yahoo was unaware of the breach until law enforcement recently provided the company with files containing Yahoo account information. Usually, stories of delayed disclosure of security breaches come with the revelation that the company simply neglected to tell the public. In this case, it seems that Yahoo was genuinely unaware that their systems had been compromised until three years after the fact, suggesting that the company never committed much in the way of resources to developing, monitoring, and maintaining data security measures.
In the press release, the company says that while the two attacks are believed to be distinct, it’s suspected that both involved the unnamed state-sponsored actors thought to be behind the 2014 hack.
While Verizon has reportedly been seeking a discount on its bid to acquire Yahoo’s internet properties for $4.8 billion since the 2014 hack was revealed in September, reports today indicate that Verizon may go as far as rescinding its bid altogether.