Another Hack Announced by Yahoo
Yahoo disclosed yet another hack in its past, this one apparently dating to 2013 and involving the theft of the personal data of 1 billion users, a record for announced hacks. The company said it "has not been able to identify the intrusion associated with this theft."
Yahoo Inc. (Nasdaq: YHOO) believes this hack is different from the one it announced in September. That one apparently occurred in 2014. Half a billion user accounts were stolen.
The only real question with the older but more recently revealed hack is Verizon's response. Will it forge ahead with its acquisition of Yahoo, or will this hack give Verizon Communications Inc. (NYSE: VZ) cause to call off the deal?
After Yahoo revealed the 2014 hack, Verizon said it wanted to evaluate if that one was material. Verizon didn't say what it would consider material, and has yet to say publicly what its conclusion might be.
Yahoo said it has adopted countermeasures against hacking, but if it can't identify the intrusion, it would be hard to say with any certainty that the vulnerability that hackers exploited has been eliminated.
There don't seem to be any legal penalties worth mentioning for failing to protect customer data. There are financial penalties, especially if subscribers leave in droves, but Yahoo's Q3 results included statistics showing its subscriber activity edged up a bit since the 2014 hack was announced.
The announcement came late in the day, so there wasn't much time for the market to come to a consensus guess on which way Verizon might go. Yahoo stock did close down 56 cents, or 1.35%, but that may have been a continuation of an ongoing downward trend over the last week or so.
The stolen user account information in the billion hacked accounts may have included, according to Yahoo, names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
Yahoo's "investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected," the company said in a statement.
— Brian Santo, Senior Editor, Components, T&M, Light Reading