Yahoo Breach – 500 Million Accounts Compromised

September 23, 2016 CyberCecurity Leave a comment

Unless you have been totally disconnected for the last 24 hours, you are no doubt aware that Yahoo announced what may be the largest breach of accounts in history – 500 million accounts. Included in the hack were names, email addresses, phone numbers, dates of birth, hashed passwords and security questions. They are saying, at this point, that credit card information and bank account information was NOT part of the hack.

While the passwords were encrypted with a strong encryption algorithm, given that the hackers have all the time in the world to decrypt them, they will likely be successful. Also part of the haul were the security questions and answers. Some of the questions and answers were encrypted; some were not.

Besides the fact that this information could be used to hack into people’s Yahoo accounts, if people reuse their passwords and security questions, that information could be used to access other accounts – potentially even bank accounts if the person used the same password or security questions.

Yahoo is telling people to change their passwords and security questions, but what is equally important is for people to change the passwords and security questions for any other accounts that used the same credentials.

You may also be aware that Verizon agreed to buy Yahoo for a little more than $4 billion. Verizon said that they were not aware of the breach, which occurred in 2014 until two days ago – when the public became aware of it.

I guess no one at Verizon reads my blog – where I keep saying that companies need to conduct cyber due diligence prior to a buyout.

While both companies may be publicly committed to closing the deal, behind the scenes they has to be a lot of talk. When did Yahoo know about the 2014 breach? What is this breach going to cost – it won’t be cheap? Who is going to deal with the regulators? What about the inevitable lawsuits? Should the deal be repriced?

NBC is suggesting that the closing of the merger may be delayed and Marissa Mayer who might have stayed on as part of the transition team will likely be given her walking papers sooner. Of course, she likely doesn’t care as she will laugh all the way to the bank.

Unless, of course, regulators and/or Verizon discover that she knew about the breach and withheld that information.

Reuters is reporting (curiously on Yahoo News) that Yahoo said, in a September 9th regulatory filing that they were not aware of any incidents of unauthorized access that could materially effect the acquisition. The same article said that Motherboard emailed Yahoo on July 30th asking if they were aware that the hacker Peace was selling Yahoo credentials on the dark web. They published a story on August 1st saying that Yahoo was aware. This could come down, in court, to the issue of what the definition of is, is – as in is aware.

There probably are a bunch of investors – in both Verizon and Yahoo – that are pretty nervous right now.

Information for this post came from CNN , NBC and Reuters.