Yahoo says 500 million accounts hacked
Calif. firm urges users to change their passwords
The massive security breakdown disclosed Thursday poses new headaches for Yahoo CEO Marissa Mayer as she scrambles to close a $4.8 billion sale to Verizon Communication.
The breach Thursday dates to late 2014, raising questions about the checks and balances within Yahoo — a fallen internet star that has been laying off staff to counter a steep drop in revenue during the past eight years.
At the time of the break-in, Yahoo's security team was led by Alex Stamos, a respected industry executive who left last year to take a similar job at Facebook.
Yahoo didn't explain what took so long to uncover a breach that it blamed on a “state-sponsored actor” — parlance for a hacker working on behalf of a foreign government. The Sunnyvale, Calif., company declined to explain how it reached its conclusions about the attack, but said it is working with the FBI and other law enforcement as part of its ongoing investigation.
“This is a pretty big deal that is probably going to cost them tens of millions of dollars,” predicted Avivah Litan, a computer security analyst for Gartner Inc. “Regulators and lawyers are going to have a field day with this one.”
Litan described it as the most accounts ever stolen from a single email provider.
The stolen data include users' names, email addresses, telephone numbers, birth dates, scrambled passwords, and the security questions — and answers — used to verify an accountholder's identity.
Last month, the tech site Motherboard reported that a hacker who uses the name “Peace” boasted that he had account information belonging to 200 million Yahoo users and was trying to sell the data on the web.
Yahoo is urging that users change their passwords if they haven't done so since 2014. The company said the attacker didn't get any information about its users' bank accounts or credit and debit cards.
News of the breach may cause some people to rethink relying on Yahoo's services, raising a prickly issue for the company as it tries to sell its digital operations to Verizon.
That deal, announced two months ago, isn't supposed to close until early next year. That leaves Verizon with wiggle room to renegotiate the purchase price or even back out if it believes the security breach will harm Yahoo's business. That could happen if users shun Yahoo or file lawsuits because they're incensed by the theft of their personal information.
Verizon said it still doesn't know enough about the Yahoo break-in to assess the potential consequences.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” the company said.
Investors evidently aren't nervous about the Verizon deal unraveling yet. Yahoo's stock added a penny Thursday to close at $44.17.