For a company that really could use some good news for a change, Yahoo has had another pretty rough week.
The pioneering search and web services provider, whose home page starts more browser sessions than anybody in the world, revealed Dec. 14 that new security issues had impacted the personal data of more than 1 billion of its users. This is thought to be the largest and most widespread theft of personal information in the brief history of the internet.
The breach is different and twice as large as the hack Yahoo admitted to suffering last September, one the company said happened in 2014—and was at the time the largest breach in the world. So much for world records.
The newly disclosed security intrusion from Dec. 14 apparently took place in 2013 and involved a substantial amount of personal information, including passwords and the answers to security questions. Yahoo is trying to harden all its systems and requiring all its users to change passwords, and it is automatically invalidating the security questions.
Former User: ‘Went Over to My Gmail Account’
In a typical reaction, a Yahoo user interviewed on the street Dec. 14 on Bay Area television news simply said: “How does the Yahoo breach affect me? Simple. I just went to my Yahoo account, closed it and went over to my Gmail account.”
That in one statement shows the main problem web services like Yahoo’s face on a 24/7 basis: Credibility in safeguarding personal information. To be fair, this could happen to anybody, and it does on a regular basis; the public just doesn’t become aware of all the breaches.
Yahoo had agreed earlier this year to sell its core businesses to Verizon Communications for $4.8 billion. Verizon said that it might seek to renegotiate the terms of the transaction after the first hacking was discovered. It’s not known how the Dec. 14 hack attack will affect the purchase, which is still in process. No matter what, this news isn’t going to help Yahoo’s side of the negotiation.
As one might expect, eWEEK was inundated with reactions from IT folks far and wide after the news broke two days ago. The self-serving, “I told you so” statements were easily remedied by the delete button.
Others are legitimate observations based on industry experience and perspective—information from which Yahoo and others can learn. We include some of the more cogent ones here.
Jason Rose, Senior Vice President of Customer Identity Management Provider, Gigya:
“The biggest casualty is consumer’s loss of trust in Yahoo, which will, ultimately, erode the company’s value for pending acquirer Verizon. Trust is earned in drips and lost in buckets. In the online world, customers need to share their identity: email addresses, personal preferences, credit card numbers, etc., in order to connect with the businesses that provide them goods and services. If customers can’t rely on a business to protect that data, then trust is lost. In other words, identity is the currency of trust.”
James Maude, Senior Software Engineer, Avecto:
“One in six people globally have now had their data breached thanks to Yahoo. With a breach on such an unprecedented scale, users should be concerned about how a behemoth of the internet failed to notice this for such a long period of time. This is especially concerning as recent reports have shown that around this time Yahoo was busy undermining its own security by installing backdoors in their own infrastructure for government agencies. There is the worrying possibility that this undisclosed backdoor served as cover for the data breaches, as employees deliberately ignored or hid these back channels.
“Initial reports suggest that the attackers manipulated cookies, which are normally used to authenticate or track users; however, in this case the attackers changed them to bypass logins without requiring a password. Using this technique, attackers could have logged into accounts at will and monitored them for great lengths of time. With such negligence questions must be asked as to what was going on at Yahoo to allow this to happen.”
Craig A. Newman, head of Privacy & Data Security Practice, Patterson Belknap LLP:
“Not only is this a big deal in the context of the proposed sale to Verizon, but it raises obvious questions about Yahoo’s overall data security protocols, particularly if 1 billion accounts were hacked more than 3 years ago and we’re just finding out about it now. Surely, it ups the stakes in the proposed deal and gives Verizon a lot more leverage either to renegotiate the purchase price or walk from the deal. While it also underscores the importance of cybersecurity due diligence in an M&A transaction and its direct link to valuation, it begs the broader question of reputational risk and what this is really going to cost in terms of litigation and regulatory investigations.”