ShareThis Page

Yahoo reports largest data breach on record

| Friday, Sept. 23, 2016, 9:39 a.m.
This file photo taken on September 12, 2013 shows the newly designed Yahoo logo seen on a smartphone.
Yahoo said on September 22, 2016 that a massive attack on its network in 2014 allowed hackers to steal data from half a billion users and may have been 'state sponsored.'
AFP/Getty Images
This file photo taken on September 12, 2013 shows the newly designed Yahoo logo seen on a smartphone. Yahoo said on September 22, 2016 that a massive attack on its network in 2014 allowed hackers to steal data from half a billion users and may have been 'state sponsored.'

Yahoo on Thursday reported the largest data breach in history — affecting at least 500 million user accounts — months after first detecting signs of an intrusion that the company blamed on “state-sponsored” hackers.

The web giant called on customers to change their passwords and institute other protective measures, but the largest fallout could be for Yahoo itself. The long-faltering company this summer agreed to sell its core business for $4.8 billion to telecommunications giant Verizon in a deal now clouded by news of the massive breach. Verizon said it learned of the incident only “within the last two days.”

The timeline highlighted a dilemma created by hacks: Companies often take months or even years to report suspicions of breaches — if they report them publicly at all — holding the information back from customers, business partners and even potential new owners of a company.

“The dark cloud this casts will be very long and will likely impact the merger agreement,” Jeff Kagan, a Georgia-based telecommunications industry analyst, said in an email. “We'll just have to wait and see what happens next. Will it change the numbers or impact the merger altogether? Either way, you would think these two big guys should have known.”

Yahoo learned of the incident in July, the same month it announced its deal with Verizon, a person familiar with the matter said, speaking on condition of anonymity to freely discuss the issue.

When asked, Yahoo declined to say whether it first learned of the hack before or after that deal was announced.

Yahoo ultimately revealed the breach after Recode, a news site focusing on Silicon Valley, reported Thursday morning that the ailing tech giant would confirm a data breach affecting hundreds of millions of accounts.

The total number of affected accounts, by reaching 500 million, gave it the dubious distinction of being the largest breach on record, said Paul Stephens of the Privacy Rights Clearinghouse.

Stephens said consumers also must take steps to take care of matters themselves, outside of their Yahoo accounts. “It's really important that individuals think long and hard about passwords as well as security questions and answers they used on Yahoo that they might have used somewhere else,” Stephens said. “It's very important to remember that if that information is available to hackers, they are going to try and use it on other sites as well.”

Yahoo reported that the intrusion apparently began in 2014. Company Chief Information Security Officer Bob Lord wrote in a blog post that names, email addresses, telephone numbers, dates of birth and answers to “security questions” may have been stolen but financial information such as credit card numbers apparently was not because that data was stored in a separate system.

“Yahoo is working closely with law enforcement on this matter,” Lord wrote.

Sen. Mark R. Warner, D-Va., chastised Yahoo for not reporting suspicions of a breach sooner and called on the federal government to impose stricter disclosure requirements for companies. Companies now face a messy patchwork of state disclosure laws but no federal standard for reporting about breaches, including when, how and who was affected.

“I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today,” Warner said in a statement.

“Action from Congress to create a uniform data breach notification standard so that consumers are notified in a much more timely manner is long overdue.”

The impact on Verizon's deal with Yahoo was not immediately clear. Major data breaches have become a routine event for corporate America and also for major government agencies and political groups. The Yahoo intrusion stands out for the sheer scale of the customers apparently affected, a legacy of the company's once-commanding position for Internet users who turned to the company for web searches, email accounts, user groups and news reports.

The Verizon deal was seen as a relatively soft landing for Yahoo, a company overtaken by competitors in nearly every one of its major businesses.

Verizon, in a company statement, said that it was monitoring news of the breach. “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” the company's statement said. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”

The security breach is yet another bruise for the aging tech firm and chief executive Marissa Mayer, who joined Yahoo in 2012 to effect a turnaround and ended up having to sell the firm's core assets instead.

Microsoft's recent acquisition of LinkedIn, which came one month after the social network revealed it 167 million of its accounts had been breached, show a breach alone is not necessarily enough to derail a deal, said John Levallo, senior vice president at the public relations and strategic communications firm Levick.

But he said the tech giant will be hard-pressed to rehabilitate its overall reputation in light of this breach.

“Focus on the consumer and not the deal,” Levallo said. “If I were in that boardroom at this moment in time, I would say we understand there's a huge deal on the table right now. But first address and resolve the issue for your consumers and the transaction will take care of itself.”

Yahoo has had a poor security reputation in the past, one of the many things that Mayer has focused on since becoming chief executive.

Vice's Motherboard blog in August reported that Yahoo was investigating an alleged breach after the news organization found that a cybercriminal known as “Peace” claimed to be offering 200 million Yahoo user credentials for sale online. The data was advertised on the “dark web” — a part of the Internet accessible only through the use of special software such as the anonymous browsing tool Tor and often associated with illicit activities.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.