Yahoo on Thursday disclosed that a data breach in late 2014 resulted in the theft of information from at least 500 million customer accounts.
Based on a recent investigation, it appears that state-sponsored hackers carried out the attack, the company said.
Account information compromised includes names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.
Payment card and bank account information was not compromised, according to Yahoo. That information is stored on a system that was not affected by the breach.
Yahoo pointed to an increase in state-sponsored attacks on technology companies and noted that since late last year, it has informed about 10,000 users of suspicions that state-sponsored actors were targeting their accounts.
If the breach reports are true, they couldn’t have come at a worse time for the company, which is preparing to sell its operating business to telecommunications giant Verizon for US$4.8 billion.
“Verizon certainly took on a calculated level of risk in acquiring Yahoo, particularly because of its massive user base,” said Kevin Cunningham, president of SailPoint.
“The question of whether this breach will affect the sale price depends on how extensively [Verizon] performed due diligence on Yahoo’s security controls,” he told the E-Commerce Times.
“It’s a perfect illustration of the fact that this due diligence should include not just network security controls, but also identity governance controls,” Cunningham continued, “because as we’ve seen with LinkedIn, Dropbox and countless others, breaches very often result from compromised employee credentials.”
With a data breach of this size, tremendous risk is created for an acquisition partner, noted Erik Knight, CEO of SimpleWan.
“There’s going to be a ton of issues here that could drastically reduce the value of Yahoo,” he told the E-Commerce Times.
Verizon on Thursday acknowledged that it had been notified of Yahoo’s security incident, but had limited information and understanding of its impact.
The company would consider its interests — including those of its customers, shareholders and related communities — as the investigation proceeded, it said.
Protections in Place
Yahoo encouraged its users to take precautions, such as changing passwords and security questions, to protect themselves from malicious activity.
The company recently has introduced new tools to help safeguard customer security.
“If you’re a Yahoo user, over the last several years you will have experienced additional security measures on your accounts,” noted Michael Harris, chief marketing officer at Guidance Software.
Those measures include a requirement to change passwords on a regular basis, and mobile alerts when Yahoo detects a login from a new device.
“These improvements will help mitigate the impact of this breach,” Harris told the E-Commerce Times.
Yahoo also introduced the Yahoo Account Key last year, which is similar to the two-factor authentication systems used by some online services.
The problem with security offerings like 2FA is that people don’t take advantage of them.
“I doubt many people have opted in for it. I don’t know many people outside the security industry that enable things like 2FA,” said Prevoty CTO Kunal Anand of Yahoo Account Key.
“The idea sounds great, but not many people do that,” he told the E-Commerce Times.
“It’s good cyberhygiene, but I should eat more vegetables, too,” quipped Cameron Camp, a senior researcher at Eset.
“Whenever something is opt-in, that usually means a slower rate of adoption,” he told the E-Commerce Times.
Trust Will Take Hit
While it remains to be seen what impact this data breach will have on Yahoo, one very likely consequence is a loss of trust among its users, said Ebba Blitz, CEO of Alertsec.
Nearly one in three survey participants said it would take them several months to begin trusting a company following a data breach, the company found.
“Our research demonstrates just how difficult it will be for Yahoo’s brand to recover from this breach,” Blitz told the E-Commerce Times.
“Customers who are affected by data breaches suffer a significant loss of trust, and this is particularly true of men,” he pointed out.
Twenty-two percent of participants said it would only take them a month to forgive, but 17 percent of men and 11 percent of women said their trust would be permanently lost. Men were more likely to switch to a competitor following a data breach than women.