Yet another story that raises concerns about privacy and security. What do we need to know about the Yahoo breach?
Mellody: We have obviously seen an increase in breaches lately, as fraudsters and hackers continue to find ways into companies’ systems. But this latest breach at Yahoo is a really extraordinary for a few reasons. Yahoo said Thursday that the account information of at least 500 million users was stolen by hackers, in the biggest known intrusion of one company’s computer network. Secondly, this occurred two years ago, meaning that the account information for users who were affected has potentially been exposed this entire time.
Finally, this has enormous implications for the company’s sale of its core assets to Verizon. Not only does this security breach mean that the company will likely lose users at a more rapid pace than it had been before, but that in turn could raise questions about the details of the sale as Verizon may balk at paying the originally agreed upon price tag of $4.8 billion for what is now a compromised asset.
You mentioned that this is the biggest known intrusion into a single company’s network. How did it take two years to find?
Yahoo said it learned of the data breach this summer after hackers posted what they claimed was stolen Yahoo user data. A Yahoo security team was unable to verify those specific claims, but eventually discovered a much larger problem: an incursion by state-sponsored actor that dated back to 2014. State-sponsored means that the action was backed by a foreign nation, which could point to why the discovery took much longer, as these hackers are more professionalized and leave fewer traces. Neither Yahoo or law enforcement has speculated about what country might have been responsible for this.
Let’s talk about the users who are impacted. What has been exposed?
At least 500 million account records are believed to have been exposed across platforms like Yahoo mail (250 million users), Yahoo finance (81 million users) and Flickr, the photo-sharing service, (113 million users whose accounts may have been linked to their Yahoo IDs.) Yahoo has said user information that was exposed includes names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions.
But it’s not just that hackers have this personal information. Of equal concern is how they can use it. With this information, hackers may be able to access accounts and information on thousands of other sites. And because Yahoo mail is one of the oldest free email services, many longtime users have built their digital identities around it, from their online banking account access codes to photo albums and even medical information. This breach could expose this information too.
One positive thing to note from this story is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.
How do users protect themselves after breaches?
The first step is to change passwords for all accounts with access to sensitive financial or health information. This does not mean changing just one letter in your password. You need a totally new separate password for each of your accounts. These breaches are much more damaging when you use a single password. If you have a hard time doing this, try using a password manager that will create unique passwords for you.
Now listen carefully because this second step is important when the breach involves an email account. You need to review all of your other service accounts that your email is linked to, such as subscriptions and shopping accounts – in this case those for which you provided a Yahoo email address – to make sure passwords used on those sites aren’t too similar to what you were using on your email account.
And if you weren’t doing so already, you need to treat all online communications with an abundance of suspicion, in case hackers are trying to trick you out of even more information.
Switching gears, how will this impact Verizon’s purchase of Yahoo’s core business?
It adds more uncertainty to the transaction in many ways. First, as I mentioned, it may have an impact on Yahoo’s final sale price, for a number of reasons. Yahoo has been losing users, traffic and market share to its competitors. If this breach amplifies this trend, that could be considered. Secondly, security experts say the breach could bring about class-action lawsuits, in addition to other costs. An annual report by the Ponemon Institute in July found that the costs to remediate a data breach is $221 per stolen record. Added up, that would top yahoo’s $4.8 billion sale price. So there could be a significant financial headache that comes with this breach.
Ultimately, i believe that this sale will go forward, as Verizon is eager to pair Yahoo’s assets with AOL’s assets. But this definitely adds some uncertainty to the mix at a sensitive time for Yahoo.