"State hackers" stole data from 500m Yahoo customers

James Pearce
Published on:

2014 hack could be biggest in US history and raises questions over Verizon acquisition, experts claim

Yahoo claims “state-sponsored” hackers stole information from around 500 million users in what has been called the largest publicly disclosed cyber attack in history.

Hackers accessed swathes of personal data including names, emails and “unencrypted security questions and answers” in the attack, which took place in late 2014.

Following an investigation by the content giant, which is set to be acquired by Verizon in a deal worth $4.8 billion, Yahoo disclosed the attack, which it says did not include unprotected passwords, payment card data, or bank account information.

A statement from Yahoo said: “A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor.

“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”

The content provider said it is beginning to affect impacted users via email, asking potentially affected users to change their passwords and adopt alternate means of account verification.

The disclosure of the hack throws up questions around the future of Verizon’s acquisition, announced in July, according to Varonis VP of strategy and market development David Gibson.

He said: “It’s hard to say for sure whether the breach will upset the pending acquisition by Verizon—publishers of the renowned yearly Data Breach Investigation Report—but it certainly could. If witnessing a data breach capsizes a $4.8 billion acquisition doesn’t shock CEOs and CSOs into investing more in security, what will? 

“There will certainly be financial repercussions for Yahoo!, if not by way of fines and lawsuits, certainly in terms of time and effort to recover, perform an investigation, and further invest in bolstering security.”

Mark Skilton, a professor of practice at Warwick Business School I the UK, said the hack could provide a “significant headache for Verizon in its planned imminent takeover of Yahoo!”

Reports of a cyber attack carried out on Yahoo first emerged days after the Verizon takeover had been announced, with a post on Motherboard claiming that a hacker was “advertising 200 million of alleged Yahoo user credentials on the dark web.” It is unclear if this alleged hack is the same as the one announced by Yahoo yesterday (22 September).

In Verizon’s takeover agreement, dated 23 July 2016 and uncovered by Fortune, a paragraph relates to what Yahoo knew and when it knew it.

“To the Knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems or (ii) loss, theft, unauthorized access or acquisition, modification, disclosure, corruption, or other misuse of any Personal Data in Seller’s or the Business Subsidiaries’ possession, or other confidential data owned by Seller or the Business Subsidiaries (or provided to Seller or the Business Subsidiaries by their customers) in Seller’s or the Business Subsidiaries’ possession, in each case (i) and (ii) that could reasonably be expected to have a Business Material Adverse Effect.”

Verizon has confirmed it was only informed of the breach within the last two days, and said it would “evaluate as the investigation continues.”

If the attack described by Motherboard is the same one, this timeframe means either Yahoo failed to inform Verizon prior to the agreement, potentially making it in breach of the paragraph above, or learned of the attack after 23 July but before 1 August, when Motherboard published the post. At the time, Yahoo told Motherboard it was “aware” of the claims.

If the deal with Verizon were to fall through, that could open the door for other potential bidders, such as rival AT&T, who was linked with a takeover prior to the Verizon announcement.

AT&T itself was subject to a hack in 2014, which resulted in the Federal Communications slapping it with a record-breaking $25 million fine. 280,000 customers' names, full or partial Social Security numbers, and account-related data were accessed in the attack.

Numerous security experts said the breach of Yahoo’s should set “alarm bells ringing” for businesses around the globe.

Cyber security experts Certes VP EMEA Paul German said: “Even heavyweights like Yahoo and LinkedIn have a problem protecting consumer data, pointing to an inherent flaw in the way cyber security is being approached. 

“The problem lies in the face that once hackers cross a company’s carefully laid out cyber defences, the network, and the treasure trove of data within it, is their oyster. Moving laterally, they are able to siphon off huge swathes of valuable information difficulty until they are detected, often months after the initial breach. 

“The problem lies in the current cyber security model which takes a, ‘protect’, ‘detect’, ‘react’ approach. There is a significant lag between the protection being sidestepped and the criminal being detected. Currently this leaves a hacker free rummage through a company’s most sensitive data, wreaking havoc. There is a fundamental step missing – at whatever point a hacker enters a network they must be contained, restricting the data they can access and the damage they can inflict before they are detected.”

ESET security specialist Mark James added: ““500million accounts is huge by any standards, we sometimes get a little blasé as the numbers get higher but let’s not make any mistakes here, that’s a lot of customers’ information stolen here.

“Data breaches are on the up, it’s almost a daily occurrence but the damage it causes is massive. The data may be used for immediate financial gain or used later along with more information to enable identity theft or phishing attacks either way it could be very damaging for the victim.

“As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data. Because the ramifications of data breaches are often felt in the future they will have to consider the implications of any customers who can prove identity issues caused as a result of this particular breach if they are the new owners.”