Yahoo on Thursday reported the largest data breach in history – affecting at least 500 million user accounts – months after first detecting signs of an intrusion that the company blamed on “state-sponsored” hackers.
The Web giant called on customers to change their passwords and institute other protective measures, but the largest fallout could be for Yahoo itself. The long-faltering company this summer agreed to sell its core business for $4.8 billion to telecommunications giant Verizon in a deal now clouded by news of the massive breach. Verizon said it learned of the incident only “within the last two days.”
The timeline highlighted a dilemma created by hacks: Companies often take months or even years to report suspicions of breaches – if they report them publicly at all – holding the information back from customers, business partners and even potential new owners of a company.
“The dark cloud this casts will be very long and will likely impact the merger agreement,” Jeff Kagan, a Georgia-based telecommunications industry analyst, said in an email. “We’ll just have to wait and see what happens next.”
Yahoo learned of the incident in July, the same month it announced its deal with Verizon, a person familiar with the matter said, speaking on condition of anonymity to freely discuss the issue.
When asked, Yahoo declined to say whether it learned of the hack before or after that deal was announced.
Yahoo reported that the intrusion apparently began in 2014.
The number of affected accounts, by reaching 500 million, gave it the dubious distinction of being the largest breach on record, said Paul Stephens of the Privacy Rights Clearinghouse.
Stephens said that consumers must also take steps to take care of matters themselves, outside of their Yahoo accounts. “It’s really important that individuals think long and hard about passwords as well as security questions and answers they used on Yahoo that they might have used somewhere else,” Stephens said. “It’s very important to remember that if that information is available to hackers, they are going to try and use it on other sites, as well.”
Company Chief Information Security Officer Bob Lord wrote in a blog post that names, email address, telephone numbers, dates of birth and answers to security questions may have been stolen but that financial information such as credit card numbers apparently was not because that data was stored in a separate system.
“Yahoo is working closely with law enforcement on this matter,” Lord wrote.
On Thursday, Sen. Richard Blumenthal, D-Connecticut, called on investigators to determine whether Yahoo intentionally withheld information about the incident to “artificially bolster its valuation” by Verizon – a potentially serious act of deception.
The impact on Verizon’s deal with Yahoo was not immediately clear. Major data breaches have become a routine event for corporate America and also for major government agencies and political groups. The Yahoo intrusion stands out for the sheer scale of the customers apparently affected, a legacy of the company’s once-commanding position for Internet users who turned to the company for Web searches, email accounts, user groups and news reports.