The credentials of more than a billion Yahoo Inc. user accounts may have been stolen in a second major hack on the struggling Internet portal’s systems.
The company said Wednesday that the hackers may have even figured out a way to log in to Yahoo accounts without using their victim’s passwords. The hack, which is a separate incident from the one Yahoo disclosed in September that saw 500 million accounts hacked, could well be the biggest security breach of all time, some reports claim.
The breach may endanger Yahoo’s nearly $5 billion deal to sell to Verizon Communications Inc. The carrier is looking at negotiating a price cut or scrapping the deal, according to Bloomberg. Update: In midday trading Thursday, shares were falling almost 4.5 percent.
Yahoo said in a statement that the breach dates back to August 2013, a year before the previously disclosed attack, which took place in September 2014. Hackers made off with the “names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers” of over a billion of its users in the latest attack, the company said.
On the bright side, the company said no payment card data or bank account information was compromised. Yahoo has already begun notifying users who may have been hacked, and is asking them to change their passwords and invalidate their security questions, which can be used to recover a lost or forgotten password.
The company blamed the attack on an “unauthorized third party” but gave no other details. It said it first learned about the breach back in November from law enforcement officials, who presented data files allegedly stolen from the company. Yahoo later verified the stolen data was legitimate before announcing the breach. Yahoo has since invalidated unencrypted security questions and answers so the affected accounts can no longer be accessed that way.
“Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies,” which can be used to store authentication credentials locally. “The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used,” the statement said. Yahoo has also invalidated the cookies.
The incident will likely deal a crushing blow to confidence in the company, which was already at a low point after it took two years to disclose the September 2014 breach. “The Yahoo breach appears to be one of the most significant third-party risk events in recent history, and at massive scale,” said Joe Fantuzzi, chief executive at the risk management software firm RiskVision. “No one yet can likely calculate the brand, financial and customer damage this will cause.”
What might be easier to calculate is how long Yahoo will suffer from the negative impacts of this latest breach. Ebba Blitz, CEO of encryption provider Alertsec Inc., told SiliconANGLE that his company’s brand value research shows that the ramifications of these kinds of incidents are typically felt for several months..
“Customers who are affected by data breaches suffer a significant loss of trust,” Blitz said in an emailed statement. “According to our study, nearly one in three Americans said it would take them several months to begin trusting a company like Yahoo again following a data breach. Meanwhile, 17 percent of men and 11 percent of women said their trust would be permanently lost.”
Verizon deal in jeopardy?
Of even more importance, at least to Yahoo’s executives and investors, will be the potential impact on Verizon’s proposed $4.8 billion acquisition of Yahoo, which was announced in July but has not yet been completed.
Yahoo had already irked Verizon by disclosing the September 2014 breach only after the acquisition was agreed upon and announced. The apparent lack of transparency reportedly upset Verizon officials so much that in October they asked Yahoo for a $1 billion discount on the original price. Later, a lawyer for Verizon warned that the earlier breach could even trigger a clause allowing it to withdraw from the deal, Reuters reported.
It remains to be seen how the latest incident will affect Yahoo’s dealings with Verizon, and the latter company has so far provided only a guarded reaction to the news. A Verizon spokesperso told CNBC that the telecommunication firm will “evaluate the situation as Yahoo continues its investigation.”
Yahoo was predictably a bit more optimistic, insisting to VentureBeat: “We are confident in Yahoo’s value and we continue to work towards integration with Verizon.”
Yahoo’s stock was down for the day 1.35 percent and in after-hours trading fell 2.35 percent more.