Yahoo on Wednesday revealed that Net bandits stole data associated with 1 billion of its user accounts — one of the largest data breaches in Internet history.
The theft, which occurred in August 2013, is distinct from the theft disclosed earlier this fall, in which 500 million accounts were compromised, Yahoo CISO Bob Lord explained.
Stolen information may include names, email addresses, telephone numbers, dates of birth, hashed passwords using MD5 encryption — and in some cases, encrypted or unencrypted security questions and answers, according to Lord.
An unauthorized third party accessed the code Yahoo uses to create cookies, he noted. Access to that code allowed attackers to compromise accounts with forged cookies.
In response to this latest discovery, Yahoo is taking steps to secure the accounts of affected users and invalidate forged cookies, said Lord, as well as to harden its systems against similar attacks.
More Data Nicked
This latest breach at Yahoo appears worse than the previous one not only because is it bigger, but also because more-sensitive information was stolen.
“More information was released than just usernames and passwords,” explained Rami Essaid CEO of Distil Networks.
“The bad guys are getting a more holistic look at these users,” he told TechNewsWorld.
The weakly encrypted or plaintext security questions in particular could be problematic, because the answers to those questions don’t change from site to site.
“You can change your passwords, but you only have one mother’s maiden name and one birth date,” Essaid noted.
How this latest data breach could affect the US$4.8 billion sale of Yahoo to Verizon is unknown. However, after news of the first breach made headlines, Verizon sought to lop $1 billion from the original purchase price, according to reports.
As with the previous Yahoo data breach, Verizon’s official reaction to the latest theft was brusque.
“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” the company said in a statement provided to the E-Commerce Times by spokesperson Rich Young. “We will review the impact of this new development before reaching any final conclusions. We have no additional comment at this time.”
Companies buy other companies for any number of reasons — their customer lists, their technology or their talent, among other things — observed RedSeal CEO Ray Rothrock.
“If Verizon was buying Yahoo for its customers, this is a bad deal,” he told the E-Commerce Times.
If Verizon expected to merge its customer databases with Yahoo’s, it might think twice about that now.
“It’s likely Verizon will avoid merging databases,” said Peter Martini, president of Iboss. “That will impact the value of the acquisition, since a good portion of that value was for Yahoo’s customer database.”
In addition, many Yahoo customers may avoid using the company’s services because of the breach.
“If they see a large exodus of customers, it will further impact the value of the company,” Martini told the E-Commerce Times.
Worse yet, Verizon doesn’t know if there is more bad news down the road, added Mark Graff, CEO of Tellagraff.
“They’ve had these breaches and have not been able to fix them,” he told the E-Commerce Times. “Why should we believe the intruders still aren’t there? Why should we think there’s not another shoe to drop?”
Go to Gmail
Whether the Verizon-Yahoo deal is completed or not, it’s likely to influence many future mergers and acquisitions, noted Shuman Ghosemajumder, CTO ofShape Security.
“The deal will serve as the archetype for the need for thorough security-related due diligence by acquirers in the future,” he told the E-Commerce Times.
“The worst-case scenario for Verizon would have been to have completed the acquisition at the original price before either of these breaches was discovered or announced,” Ghosemajumder said. “Future acquiring companies will want to do everything in their power to avoid such a situation, and will likely add more detailed security reviews to their due diligence processes.”
This latest breach is tantamount to criminal negligence, suggested Stu Sjouwerman, CEO of KnowBe4.
Yahoo users should “vote with their feet” and close their Yahoo accounts, he told the E-Commerce Times. “Yahoo has proven not to be trustworthy, so I’m advising Yahoo account owners to go to Google.”