Ya­hoo breach af­fects 1B

Cy­berthieves struck more than a year be­fore the 2014 hack that hit 500 mil­lion.

The Denver Post - - FRONT PAGE - By Machael Liedtke

san fran­cisco» Ya­hoo has dis­cov­ered a 3-year-old se­cu­rity breach that en­abled a hacker to com­pro­mise more than 1 bil­lion user ac­counts, break­ing the com­pany’s own hu­mil­i­at­ing record for the big­gest se­cu­rity breach in his­tory.

The digital heist dis­closed Wed­nes­day oc­curred in Au­gust 2013, more than a year be­fore a sep­a­rate hack that Ya­hoo an­nounced nearly three months ago. That breach af­fected at least 500 mil­lion users, which had been the most far-reach­ing hack un­til the lat­est rev­e­la­tion.

“It’s shock­ing,” said se­cu­rity expert Avi­vah Li­tan of Gart­ner Inc.

Both lapses oc­curred dur­ing the reign of Ya­hoo CEO Marissa Mayer, a once-lauded leader who found her­self un­able to turn around the com­pany in the four years since her ar­rival. This year, Ya­hoo agreed to sell its digital op­er­a­tions to Ver­i­zon Com­mu­ni­ca­tions for $4.8 bil­lion — a deal that may now be im­per­iled by the hack­ing rev­e­la­tions.

Ya­hoo didn’t say if it be­lieves the same hacker might have pulled off two at­tacks. The Sun­ny­vale, Calif., com­pany blamed the late 2014 at­tack on a hacker af­fil­i­ated with an uniden­ti­fied for­eign govern­ment, but said it hasn’t been able to iden­tify the source be­hind the 2013 in­tru­sion.

Ya­hoo has more than a bil­lion monthly ac­tive users, al­though some have mul­ti­ple ac­counts and others have none at all. An un­known num­ber of ac­counts were

af­fected by both hacks.

In both at­tacks, the stolen in­for­ma­tion in­cluded names, e-mail ad­dresses, phone numbers, birth­dates and se­cu­rity questions and answers. The com­pany says it be­lieves bank-ac­count in­for­ma­tion and pay­ment­card data were not af­fected.

Pass­words taken, too

But hack­ers also ap­par­ently stole pass­words in both at­tacks. Tech­ni­cally, those pass­words should be se­cure; Ya­hoo said they were scram­bled twice — once by en­cryp­tion and once by an­other tech­nique called hash­ing. But hack­ers have be­come adept at crack­ing se­cured pass­words by as­sem­bling huge dic­tio­nar­ies of sim­i­larly scram­bled phrases and match­ing them against stolen pass­word data­bases.

That could mean trou­ble for any users who reused their Ya­hoo pass­word for other on­line ac­counts. Ya- hoo is re­quir­ing users to change their pass­words and in­val­i­dat­ing se­cu­rity questions so they can’t be used to hack into ac­counts. (You may get a re­prieve if you’ve changed your pass­word and questions since Septem­ber.)

Se­cu­rity ex­perts said the 2013 at­tack was likely the work of a for­eign govern­ment fish­ing for in­for­ma­tion about spe­cific peo­ple. One big tell: It doesn’t ap­pear that much per­sonal data from Ya­hoo ac­counts has been posted for sale on­line, mean­ing the hack prob­a­bly wasn’t the work of or­di­nary crim­i­nals.

That means most Ya­hoo users prob­a­bly don’t have any­thing to worry about, said J.J. Thompson, CEO of Rook Se­cu­rity.

Questions for Ver­i­zon

News of the ad­di­tional hack fur­ther jeop­ar­dizes Ya­hoo’s plans to fall into Ver­i­zon’s arms. If the hacks cause a user back­lash against Ya­hoo, the com­pany’s ser­vices wouldn’t be as valu­able to Ver­i­zon, rais­ing the pos­si­bil­ity that the sale price might be rene­go­ti­ated or the deal may be called off. The tele­com gi­ant wants Ya­hoo and its many users to help it build a digital ad busi­ness.

Af­ter the news of the first hack broke, Ver­i­zon said it would re-eval­u­ate its Ya­hoo deal and in a Wed­nes­day state­ment said it will re­view the “new de­vel­op­ment be­fore reach­ing any fi­nal con­clu­sions.”

At the very least, the se­cu­rity lapses “def­i­nitely will help Ver­i­zon in its ne­go­ti­a­tions to lower the price,” Li­tan pre­dicted. Ya­hoo has ar­gued that news of the 2014 hack didn’t neg­a­tively af­fect traf­fic to its ser­vices, strength­en­ing its con­tention that the Ver­i­zon deal should be com­pleted un­der the orig­i­nal terms.

“This just adds to fuel to the fire, and it won’t help Ya­hoo’s cause,” said Eric Jack­son, a long­time critic of the com­pany’s man­age­ment.

In­vestors ap­peared wor­ried about the Ver­i­zon deal. Ya­hoo’s shares fell 96 cents, or 2 per­cent, to $39.95 af­ter the dis­clo­sure of the lat­est hack.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.