News of 2014 attack comes just as Verizon plans to buy web portal
BRIAN WOMACK AND JORDAN ROBERTSON
The Vancouver Sun
Yahoo Inc. said the personal information of at least 500 million users was stolen in an attack on its accounts in 2014, exposing a wide swath of its roughly 1 billion users ahead of Verizon Communications Inc.’s planned acquisition of the web portal’s assets.
The attacker was a “state-sponsored actor,” and stolen information may include names, email addresses, phone numbers, dates of birth, encrypted passwords and, in some cases, un-encrypted security questions and answers, Yahoo said Thursday in a statement. The continuing investigation doesn’t indicate theft of payment card data or bank account information, or unprotected passwords, the company said. Affected users are being notified, accounts are being secured, and there’s no evidence the attacker is still in Yahoo’s network, it also said.
“Yahoo is working closely with law enforcement on this matter,” the company said in the statement. “Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry.”
The disclosure of the data theft comes at a particularly sensitive time for chief executive Marissa Mayer, as she navigates the company toward a planned US$4.8 billion acquisition by Verizon, set to close by early next year. Mayer, who has dealt with difficulties and complaints about Yahoo’s email service in the past, needs to keep users logging in to drive traffic and draw the advertising that fuels the company’s revenue growth, which has been sluggish under her leadership.
Verizon was notified of the incident within the last two days, the company said in an emailed statement. “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” Verizon said in an email. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”
The confirmation that accounts were compromised came almost two months after the company said it was investigating claims that a hacker was offering to sell user account details stolen in a data breach. The same hacker, who previously sold data taken from LinkedIn and MySpace, posted information from 200 million Yahoo accounts on a dark web marketplace, Motherboard reported in early August. The stolen information being offered was most likely from 2012, Motherboard reported, citing the hacker, who uses the name Peace.
“All of this compromised information is very useful for criminals in order to hijack user identities and use them for fraudulent purposes,” Avivah Litan, an analyst with Gartner, said. “Identity impersonation has become a global criminal epidemic and there are no simple solutions.”
Yahoo is encouraging users to review their accounts for suspicious activity and to change their password and security questions — along with answers for other online accounts where they use the same or similar information. The company also recommends users avoid clicking on links or downloading attachments from suspicious emails.
Many of the stolen accounts in a sample of data obtained by Motherboard were no longer in use and had been cancelled. The sale of all of the data for just under US$2,000 suggested much of the information was obsolete, made up, or useless because the hackers had already attacked legitimate accounts and exhausted their need for the material.
While the breach is a blow to Yahoo, more broadly it underscores the danger of large data sets spilling into the hacker underground and being used for criminal purposes for years without the breached companies knowing, or with them only taking minimal action based on whatever data hackers tell them was taken.
© 2016 National Post, a division of Postmedia Network Inc