As poison chalices go, Yahoo is doing its best to redefine the word. First it failed to disclose the loss of 500 million user accounts during the Verizon negotiations. That led to Verizon reportedly demanding a $1 billion discount on the agreed price. Now it has admitted to the loss of a further 1 BILLION customer records. This massive reputational damage can only threaten further the deal to sell assets to Verizon.
Yahoo has issued a press release entitled: “Important Security Information for Yahoo Users.” The release says that after analysing data provided to it by law enforcement it believes: “…an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.”
From a security perspective there are a number of red flags here. The first is that despite investigating the previous massive breach, this one went undetected. It is also difficult to understand how, in the same timeframe, two ultra large security breaches ran in parallel with nobody detecting them. Yahoo has previously blamed the loss of 500 million accounts on a “state-sponsored actor.” So far, it has steered clear of that in this latest announcement.
Users will take little comfort from the claim that: “Payment card data and bank account information are not stored in the system the company believes was affected.” The issue here is the word:”believes”. Given Yahoo’s track record over the last few months it is unlikely that anyone will take these statements at face value.
The release also contains information on a third incident. The company said its: “outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password.” What is worrying about this is the admission that the hackers gained access to proprietary Yahoo code. This is what it believes has allowed them to forge the cookies. Those cookies were used to attack user accounts and Yahoo says it is contacting all those users it believes were identified. This action is being ascribed to the state-sponsored actor who stole the first batch of user records.
According to Ed Macnair, CEO, CensorNet: “A breach of this size is almost unfathomable – even disregarding the fact this is the second massive breach disclosure from Yahoo in a matter of months. There’s clearly been some historic security failings at the company and they are now paying the price. We’re living in an era where any data held online is inherently insecure and if it the right controls aren’t in place, someone will steal it. While the numbers impacted in this case are massive, Yahoo isn’t the first and won’t be the last unless businesses do better at protecting the information they hold.
“While one would hope that most Yahoo account holders changed their passwords earlier in the year, relying on that as a method of dealing with lost details can’t go on much longer. It should have become clear to almost everyone that the password / username method is broken and to stop events like this we need a new system in place. The tools, like multi-factor authentication, already exist, we now need to force their use and make it harder for hackers to get what they want. This situation will carry on repeating itself until we make a change.”
In answer to Macnair’s criticism, Yahoo does already have an alternative to passwords. It is call the Yahoo Account Key and the company has been trying to get users to switch to this. Perhaps it’s now time for force that switch on customers by requiring a complete reset of their account.
One breach is damaging and that was the 450,000 records lost back in 2012. When it disclosed the 500 million record breach earlier this year it looked as if the company had hit a new low for data protection. To now disclose a 1 billion record breach that was active at the same time as other breaches is truly staggering. It is likely that there will be a lot of senior Yahoo execs desperately trying to prove they knew nothing about this mess.
This could also just be the tip of the iceberg and the third “cookie” breach could prove even more fatal. Yahoo only has one billion active accounts each monthly. Does the 1 billion represent its entire active user base? How will it deal with dormant accounts?
For Verizon cancelling the deal may be difficult. However, this latest breach may give it all the ammunition it needs to show that the value of Yahoo has fallen dramatically. In that case it can renegotiated the deal without any risk of penalty. It is in a difficult position. It wants to compete with Facebook and Google for advertising spend. However, it can only achieve that if advertisers trust the platform will deliver something of value. At the moment, it is likely that most will be watching and waiting to see where the reputational damage stops.
There is also the no small matter of Melissa Mayer’s payoff negotiated as part of the deal. It will be interesting to see if Verizon now seeks to claw some of that back given how potentially toxic the brand has become.