Security Strategies

Another Hack Announced by Yahoo

Yahoo disclosed yet another hack in its past, this one apparently dating to 2013 and involving the theft of the personal data of 1 billion users, a record for announced hacks. The company said it "has not been able to identify the intrusion associated with this theft."

Yahoo Inc. (Nasdaq: YHOO) believes this hack is different from the one it announced in September. That one apparently occurred in 2014. Half a billion user accounts were stolen.

The only real question with the older but more recently revealed hack is Verizon's response. Will it forge ahead with its acquisition of Yahoo, or will this hack give Verizon Communications Inc. (NYSE: VZ) cause to call off the deal?

After Yahoo revealed the 2014 hack, Verizon said it wanted to evaluate if that one was material. Verizon didn't say what it would consider material, and has yet to say publicly what its conclusion might be.

Yahoo said it has adopted countermeasures against hacking, but if it can't identify the intrusion, it would be hard to say with any certainty that the vulnerability that hackers exploited has been eliminated.

Want to know more about how to secure data, networks, and services? Check out our security channel here on Light Reading.

There don't seem to be any legal penalties worth mentioning for failing to protect customer data. There are financial penalties, especially if subscribers leave in droves, but Yahoo's Q3 results included statistics showing its subscriber activity edged up a bit since the 2014 hack was announced.

The announcement came late in the day, so there wasn't much time for the market to come to a consensus guess on which way Verizon might go. Yahoo stock did close down 56 cents, or 1.35%, but that may have been a continuation of an ongoing downward trend over the last week or so.

The stolen user account information in the billion hacked accounts may have included, according to Yahoo, names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

Yahoo's "investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected," the company said in a statement.

— Brian Santo, Senior Editor, Components, T&M, Light Reading

kq4ym 12/28/2016 | 5:00:55 PM
Re: 3 years?! Interesting that there's probably no legal penalties. I wonder if this is because of the long time since the crime or just because there's been no large scale damage to customers? With just partial passwords and no financial data taken, I suppose it's hard to prove any damages even in a class action suit.
inkstainedwretch 12/15/2016 | 4:55:44 PM
Why Three Years? We cannot jump to conclusions. Yes, Yahoo could have been sitting on the information. But it is also very possible for three years to elapse without any additional irresponsibility beyond failing to stop the original hack. 

It is not uncommon for malicious hackers to sit on data for a while -- years even -- before they decide to sell/share the data. 

Yahoo was apparently unaware of the two hacks until some third-party security experts brought them to Yahoo's attention. As reported, Yahoo still doesn't know what the original hacks were. This suggests that all they have are the lists of the hacked accounts.

One of those lists has a half-billion names, the other a billion. If it is true that those lists are the only evidence they have of the hacks (a notion supported by the assertion that they don't know the mechanism of the hacks), it might have taken months simply to develop the suspicion there might have been two hacks. Once that realization hit, it would take some time to verify that the half-billion list wasn't just a subset of the billion list. If it was a subset, there was just one hack. If they lists diverge significantly, then there were two. 

I can't say for a fact either way. But with the information we have been given, both explanations are plausible.

--Brian Santo
inkstainedwretch 12/15/2016 | 4:36:46 PM
Re: No telling Yup.

--Brian Santo
Mitch Wagner 12/15/2016 | 4:19:42 PM
Yahoo HQ Street View photo of Yahoo headquarters:

Mitch Wagner 12/15/2016 | 4:10:43 PM
Re: No telling While I agree with you on the lack of consequences for data breaches, Verizon may use this hack -- like the previous one -- to negotiate better terms. 
dishnetwork 12/15/2016 | 12:13:26 PM
3 years?! It took 3 years for them to disclose this? Ridiculous!
inkstainedwretch 12/15/2016 | 12:03:54 PM
No telling There are two ways to look at this.

1) The accumulation of hacks on Yahoo were really, really, really bad. No one should be surprised if Verizon calls it off.

2) The accumulation of hacks on Yahoo are ancient; if any company has ever been legally penalized for a hack, it's rare; if any corporate executive has ever lost their job as penalty for a hack, I don't know who it is; every single subscriber has been hacked so often elsewhere with little or no remuneration, there's no expectation of recompense of any sort any more, and going elsewhere seems pointless because if it isn't Yahoo, it's their (our) shopping outlets, insurance company, medical facility, or the state & federal government agencies. In short, nothing has diminished the value of what Verizon wants: the subscriber traffic and the ad business. No one should be surprised if Verizon pulls the trigger on the deal anyway.

I'm not betting on one or the other. Both seem equally likely to me.

--Brian Santo
[email protected] 12/15/2016 | 10:19:30 AM
Here's another way to look at it...

New Yahoo SNAFU may poo-poo Verizon woo

[email protected] 12/15/2016 | 7:07:00 AM
I just looked up 'toxic brand' in the dictionary... I just looked up 'toxic brand' in the dictionary... [insert your own answer here]

If Verizon does decide to go ahead, I bet the deal now involves about 100 extra pages of liability clauses.
Sign In