Breach, Threat Management, Data Security

Yahoo issues new breach warning; Verizon shaves $300M off its Yahoo offer

Verizon was in talks to purchase Yahoo's internet business when news broke that the web company had been hit with two massive data breaches and this has had an impact on the asking price with the initial offer of $4.8 billion has been reduced by about $250 million, according to a report Wednesday on Bloomberg. Other reports cite the revised figure as shaving as much as $350 million off.

In addition to the price reduction, Verizon and the repackaged version of Yahoo, to be named Altaba, will split costs related to the fallout resulting from the breaches, said undisclosed sources close to the proceedings. The revised agreement is still being tweaked, but could be announced soon, they said.

The acquisition was first made public in July and was scheduled to be completed in 1Q 2017. However, Yahoo announced last month that the deal was on hold until at least 2Q owing to a reassessment of its value following the breaches.

Verizon intends to combine Yahoo with its AOL division, seeking to expand its audience and increase revenue from digital advertising.

Yahoo's investigation continues into who or what was behind the incursions. Email addresses, passwords and dates of birth were stolen of, some reports said, over a billion subscribers.

In November, the company announced it was working with with federal, state, and foreign governmental officials and agencies, including the U.S. Federal Trade Commission and the U.S. Securities and Exchange Commission. The Federal Bureau of Investigation is investigating the hack as well.

In other Yahoo-related news, the company released a fresh warning to users advising that accounts might have been compromised, placing the blame on the same "state-sponsored actor" behind the breaches in 2013 and 2014.

This round of fraudulent activity was said to be related to the use of "forged cookies" – data strings used across the web that can enable access to web accounts without re-entering a password.

"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account," read the statement from Yahoo.

It's not known how many accounts may be affected.

"This trickling out of breach notices undermines the whole purpose of breach notification laws: afford consumers the ability notice such that they can act to protect their identities," Mike Overly, a partner in the cybersecurity practice at Foley & Lardner LLP, told SC Media on Wednesday. "When months and sometimes years pass, that purpose cannot be fulfilled and the breach notification becomes a useless fiction. Any potential harm that could be done, has been done. This is the security equivalent of closing the barn door after the horse has escaped."

This latest round of notices also serves to highlight just how jaded consumers have become with cloud service providers who routinely suffer these types of breaches, Overly added. "What once was a call to action for a consumer to take steps to protect their identity, now, in many cases, is 'just another breach notice' that is filed with the dozen or so other notices the average consumer receives."

Consumer must learn to choose their cloud service providers wisely, Overly cautioned. "Never use identical or similar login credentials and continue to take these notices seriously."

This is more fallout from Yahoo's epic fail to secure accounts and protect consumer data, Adam Levin, chairman and founder of CyberScout, told SC Media on Wednesday. "With more than 1 billion accounts exposed due to its historic data breach, it's the Yahoo! customer that is left holding the bag while Yahoo! execs were rewarded with golden parachutes."

Breaches are the third certainty in life, said Levin, the author Swiped, a book on identity theft. "With state- sponsored hackers becoming a major threat, it is clear the Cyber War has replaced the Cold War and business and government needs to work together to shore up our cyber defenses," he told SC. "Consumers need to stay on high alert by changing passwords and using long and strong combinations, never duplicating passwords across accounts and websites, enabling two-factor authentication and disabling cookies where they can."

While it is news that Yahoo is making another announcement about a breach, it shouldn't be surprising, Jason Hart, CTO of data protection at Gemalto, told SC Media on Wednesday. Opt-in security is not an option in this day and age, he said. "The company recommended that users consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password. However, tools like this only work if the user remembers to activate them."

Given the current security climate, Hart said all companies should have multifactor authentication activated by default for all online accounts. "Now, it only remains to see how much more of a discount Verizon may ask for.” 


UPDATE, February 21: SC Media heard from Yahoo following publication of the above article.

According to a Yahoo spokesperson: "As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used.  Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.