San Francisco - Yahoo! disclosed a second major security
breach that may have affected more than 1 billion user accounts, another blow
to the company’s reputation as it nears the sale of its main web businesses to
Verizon Communications Inc.
The company said in a statement Wednesday that it hasn’t
been able to identify the “intrusion” associated with this theft by a third
party in August 2013. The event was unearthed by forensic experts after law
enforcement investigators warned the company about a potential breach. Yahoo
has said it has about 1 billion users.
Yahoo said it believes the incident “is likely distinct”
from the hack the company disclosed in September. The shares dropped as much as
2.7 percent in extended trading after the announcement.
In September, Yahoo said the personal information of at
least 500 million accounts was stolen in a 2014 attack on its accounts,
exposing data from a wide swath of its users ahead of the Verizon deal. The
attacker was a “state-sponsored actor,” and stolen information may have
included names, e-mail addresses, phone numbers, dates of birth, encrypted
passwords and, in some cases, unencrypted security questions and answers, Yahoo
has said.
“This is more of the same bad news for every Yahoo user,”
Paul Martini, chief executive officer of San Diego-based Iboss Cybersecurity,
said in a statement. “What’s really shocking about this latest breach is that
everyone with a Yahoo account has now likely had their personal information
stolen two or three times.”
Continuing challenges
For CEO Marissa Mayer, the new hacks could weaken Yahoo’s
reputation with users who have been using its services for years and further
tarnish its credibility ahead of the Verizon deal. The lack of progress on the
earlier breach, and the limited information provided to Verizon, caused
misgivings inside the telecommunications company about the deal, people
familiar with the matter told Bloomberg in October. Yahoo said last month the
$4.8 billion sale of its web portal still is expected to close in the first quarter
of next year.
“As we’ve said all along, we will evaluate the situation
as Yahoo continues its investigation,” Verizon said Wednesday in an e-mailed
statement. “We will review the impact of this new development before reaching
any final conclusions.”
Read also: Yahoo clients sue after data breach
If the investigation shows significant harm to the
business and Yahoo customers, Verizon would consider options like reducing the
deal price or walking away, a person familiar with the matter said Wednesday.
The acquisition still makes strategic sense for Verizon, said another person
familiar with the company’s discussions.
“Strategically, common wisdom is that the parts of the
company that Verizon is most interested in are not necessarily that tied to
stuff like user accounts and e-mail -- it’s the media properties,” said Jeff
Vogel, managing director at investment banking firm Bulger Partners. “If the
liabilities of the rest of the company are more significant -- because of
lawsuits and damages and reputational damage -- than we had thought, that could
impact the deal financially.”
Alerting users
In the 2013 hack disclosed Wednesday, Yahoo said
compromised user account information may have included names, e-mail addresses,
telephone numbers, dates of birth, hashed passwords and, in some cases,
encrypted or unencrypted security questions and answers. The company said it
was notifying potentially affected users and had taken steps to secure their
accounts.
In November, Yahoo gave an update to investors on its
internal review of the hack, saying an independent board committee is
investigating how many employees at Yahoo knew about the breach.
Yahoo also previously disclosed an investigation into the
creation of forged cookies that could allow an intruder to access users’
accounts without a password. As of now, the company believes an unauthorized
party accessed the “code to learn how to forge cookies.”
“Experts have identified user accounts for which they
believe forged cookies were taken or used,” the company said. “Yahoo is
notifying the affected account holders, and has invalidated the forged cookies.