Ya­hoo suf­fers world’s big­gest hack

China Daily (Hong Kong) - - WORLD - By AGENCIES in San Fran­cisco

Ya­hoo has dis­cov­ered a 3-year-old se­cu­rity breach that en­abled a hacker to com­pro­mise more than 1 bil­lion user ac­counts, break­ing the com­pany’s own hu­mil­i­at­ing record for the big­gest se­cu­rity breach in history.

The dig­i­tal heist dis­closed on Wednesday oc­curred in Au­gust 2013, more than a year be­fore a sep­a­rate hack that Ya­hoo an­nounced nearly three months ago. That breach af­fected at least 500 mil­lion users, which had been the most far-reach­ing hack un­til the lat­est rev­e­la­tion.

“It’s shock­ing,” said se­cu­rity ex­pert Avi­vah Li­tan of Gart­ner Inc.

Both lapses oc­curred dur­ing the reign of Ya­hoo CEO Marissa Mayer, a once-lauded leader who found her­self un­able to turn around the com­pany in the four years since her ar­rival. Ear­lier this year, Ya­hoo agreed to sell its dig­i­tal op­er­a­tions to Ver­i­zon Com­mu­ni­ca­tions for $4.8 bil­lion a deal that may now be im­per­iled by the hack­ing rev­e­la­tions.

Two sep­a­rate hacks

Ya­hoo didn’t say if it be­lieves the same hacker might have pulled off two sep­a­rate at­tacks. The Sun­ny­vale, Cal­i­for­nia, com­pany blamed the late 2014 at­tack on a hacker af­fil­i­ated with an uniden­ti­fied for­eign gov­ern­ment, but said it hasn’t been able to iden­tify the source be­hind the 2013 in­tru­sion.

Ya­hoo has more than a bil­lion monthly ac­tive users, although some have mul­ti­ple ac­counts and others have none at all. An un­known num­ber of ac­counts were af­fected by both hacks.

In both at­tacks, the stolen in­for­ma­tion in­cluded names, email ad­dresses, phone num­bers, birth dates and se­cu­rity ques­tions and an­swers. The com­pany said it be­lieves bank-ac­count in­for­ma­tion and pay­ment-card data were not af­fected.

But hack­ers also ap­par­ently stole pass­words in both at­tacks. Tech­ni­cally, those pass­words should be se­cure; Ya­hoo said they were scram­bled twice once by en­cryp­tion and once by an­other tech­nique called hash­ing. But hack­ers have be­come adept at crack­ing se­cured pass­words by as­sem­bling huge dic­tionar­ies of sim­i­larly scram­bled phrases and match­ing them against stolen pass­word data­bases.

Ques­tions for Ver­i­zon

That could mean trou­ble for any users who reused their Ya­hoo pass­word for other on­line ac­counts. Ya­hoo is re­quir­ing users to change their pass­words and in­val­i­dat­ing se­cu­rity ques­tions so they can’t be used to hack into ac­counts.

News of the ad­di­tional hack fur­ther jeop­ar­dizes Ya­hoo’s plans to fall into Ver­i­zon’s arms. If the hacks cause a user back­lash against Ya­hoo, the com­pany’s ser­vices wouldn’t be as valu­able to Ver­i­zon, raising the pos­si­bil­ity that the sale price might be rene­go­ti­ated or the deal may be called off. The tele­com gi­ant wants Ya­hoo and its many users to help it build a dig­i­tal ad busi­ness.

Af­ter the news of the first hack broke, Ver­i­zon said it would re-eval­u­ate its Ya­hoo deal and in a Wednesday state­ment said it will review the “new devel­op­ment be­fore reach­ing any fi­nal con­clu­sions”. Spokesman Bob Varet­toni de­clined to an­swer fur­ther ques­tions.

In­vestors ap­peared wor­ried about the Ver­i­zon deal. Ya­hoo’s shares fell 96 cents, or 2 per­cent, to $39.95 af­ter the dis­clo­sure of the lat­est hack.

Newspapers in English

Newspapers from China

© PressReader. All rights reserved.