The biggest cyber breach in history! Why are we just now hearing about the Yahoo hack of 2014?
Quite concerning that here we are, September 2016, Verizon is just about to buy Yahoo and only now do we hear about this Yahoo hack in 2014. Was this part of the due diligence process?
Yahoo is about to announce that the company was a victim of hacking that has exposed several hundred million user accounts. (Cynically the Yahoo Hack was conducted by a hacker who is named “Peace”.) All reports on the Yahoo Hack say it was widespread and serious.
Yahoo said on Thursday that at least 500 MN of its accounts were hacked in 2014 by what it believed was a state-sponsored actor, a theft that appeared to be the world’s biggest known cyber breach by far. The Yahoo Hack was humongous, more than triple than eBay.
“This is the biggest data breach ever, ” said well-known cryptologist Bruce Schneier, adding that the impact on Yahoo and its users remained unclear because many questions remain, including the identity of the state-sponsored hackers behind it.
Earlier this summer, Yahoo did say it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and one was selling them online.
The expected announcement has possible larger implications for the $4.8 billion sale of Yahoo’s core business — which is at the core of this hack — to Verizon. The scale of the liability could bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
That deal is almost done, but the companies cannot be integrated until it is approved by a number of regulatory agencies, as well as Yahoo shareholders. Representatives of Verizon and Yahoo have already started to meet to set up the process to make the transition smooth.
But there’s nothing smooth about the Yahoo Hack, said sources, which became known in August when an infamous cyber criminal named “Peace” claimed on a website that he was selling credentials of 200 million Yahoo users from 2012 on the dark web for just over $1,800. The data allegedly included user names, easily decrypted passwords and personal information like birth dates and other email addresses.
In august, Yahoo said it was “aware of the claim,” but the company declined to say if it was legitimate and said that it was investigating the information. But it did not issue a call for a password reset to users. Now, said sources, Yahoo might have to, although it will be a case of too little, too late.
The confirmation of such an extensive hack is also not great for CEO Marissa Mayer, who has not been able to turn Yahoo around or innovate any new products eventually led to the sale.
Analyst Robert Peck of SunTrust Robinson Humphrey said the breach probably was not enough to prompt Verizon to abandon its deal with Yahoo, but it could call for a price decrease of $100 million to $200 million, depending on how many users leave Yahoo.
Steven Caponi, an attorney at K&L Gates with a practice including merger litigation, said that Yahoo’s breach could fall under the “material adverse change” clause common in mergers allowing a buyer to walk away if its target’s value deteriorates. “That would give Verizon the opportunity to renegotiate the terms or potentially walk away from the transaction if it is a material change. Whether it is a material change will depend in large part on what kind of information was compromised,” Caponi said.
The Yahoo Hack follows a rising number of other large-scale data attacks and could make it a watershed event that prompts government and businesses to put more effort into bolstering defenses, said Dan Kaminsky, a well-known internet security expert. “Five hundred of the Fortune 500 have been hacked,” he said. “If anything has changed, it’s that these attacks are getting publicly disclosed.”