Yahoo just announced that over 500 million accounts were hacked in 2014. Yahoo believes the hack was performed by a “state-sponsored actor.” This is one of the largest data leaks in cybersecurity history.
Yahoo said in a statement that “the account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases, encrypted or unencrypted security questions and answers.” This is basically everything a hacker needs to start taking over lives.
Yahoo obviously told users they should change their passwords and security questions as soon as possible and look at their recent account activity for anything out of the ordinary.
According to claims online, a hacker by the pseudonym “Peace” was attempting to sell 200 million Yahoo account names and passwords on the dark web on August 1st of this year. Interestingly, that data was stolen in 2012. During the course of Yahoo investigating the 2012 hack, Yahoo discovered this new 2014 breach.
This means that Yahoo knew about the hack in early August and according to and did not notify users until just this week. They left half a billion users vulnerable for six weeks!
In response to this, U.S. Senator Blumenthal made a statement that he would be lobbying for legislation designed “to make sure companies are properly and promptly notifying consumers when their data has been compromised.”
He goes on to say that “If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust.”
Even Verizon, who is purchasing Yahoo for $4.8B was only informed of the hack a few days ago. This creates cause for the accusation that Yahoo may have been intentionally withholding information about the hack until the sale to Verizon went through. Their valuation likely would have gone down if Verizon had known of the hack prior to the sale.
Jeremiah Grossman, chief of security strategy at a cybersecurity company called SentinelOne said that “internet companies, especially giants like Yahoo, face challenges protecting enormous computer networks because the networks offer so many points of entry to attackers.”
How to protect yourself
If you have a Yahoo account, you should immediately take a few actions to protect yourself.
- Login to your Yahoo account
- Change your password and make sure the new password is complex, including numbers, letters and symbols
- Set up two factor authentication – which is an extra security measure that requires you to confirm your identity by receiving a unique pin code to your cell phone or backup email address
- Change your security questions
- If you use the same security questions on other sites, change them on these sites as well
- The recommendation is to use completely random security questions with random answers – make sure you keep these random questions and answers saved somewhere safe
How might this affect the sale to Verizon?
There are a lot of unanswered questions for Verizon, such as:
- Why was this found two years after the hack?
- Who was behind the hack?
- Why did it take 6 weeks for Yahoo to announce the news?
The answers to these questions are still unclear, but we do know that Verizon has tasked their CIO with investigating the hack as well. She brought in Verizon’s security and enterprise solutions divisions to further investigate these issues and report back.
Verizon has not made any kind of public statement yet that indicates whether or not the sale will proceed. They could easily see this as a reason to back out of the deal, but we will not know until Verizon makes an announcement.
It is not likely that Verizon will back out of the deal, but it is very likely that Verizon will take this hack as an opportunity to renegotiate the deal and save some money on the purchase. In the terms of the sale, Yahoo states that they had never had any major hacks and now they have been victim to potentially the largest hack of a public company in the history of cybersecurity. I can only imagine that this will change the deal in some way.