Yahoo: Users’ data at risk
Malicious activity is reported as Verizon slashes its price for struggling Sunnyvale firm
SUNNYVALE — Yahoo is warning some users that their accounts have been compromised, after an investigation turned up evidence that intruders infiltrated accounts by using forged cookies.
Yahoo confirmed the warning on Wednesday, the same day it was reported that Verizon is slashing the price it will pay for Yahoo by at least $250 million. The price cut, in reaction to two massive data hacks that Yahoo reported late last year, appears to indicate the troubled deal will go through.
Yahoo’s announcement about the forged cookies is bad news for account holders, cybersecurity experts said. The fact that attackers created viable forged cookies indicates they first stole critical parts of Yahoo’s network infrastructure, said Chris Roberts, chief security architect at Santa Clara’s Acalvio. Bad actors can use that data to access users’ accounts, then apply an automated system to find valuable information to sell on the black market.
“Financial records, health
“Financial records, health care records, privacy information — all go to different sets of buyers.” — Chris Roberts, chief security architect at Santa Clara-based Acalvio
care records, privacy information — all go to different sets of buyers,” Roberts said.
Although Yahoo said it had invalidated the forged cookies so they couldn’t be used again, the hackers, once they’d penetrated Yahoo’s network, could have created another way in that the company hasn’t discovered, putting current accounts at risk, said Peter Nguyen, head of technical services at LightCyber in Los Altos.
It was not immediately clear how deeply connected the malicious account activity was to the two recordsetting hacks of users’ data Yahoo disclosed last year. The company said in December that the problem with forged cookies — data strings used to connect users with websites — had been identified separately from the firm’s probe into the hacks. But Yahoo said the state-sponsored actor it believes responsible for the smaller of the two huge data breaches was involved in some of the forged-cookie intrusions.
“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” Yahoo said in a statement Wednesday. “The investigation has identified user accounts for which we believe forged cookies were taken or used.
“Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”
Yahoo’s security investigations are nearly finished, and the firm has notified a “reasonably final list” of affected users about the cookie-related compromises, a person familiar with the situation said Wednesday.
The firm did not disclose how many user accounts were compromised by the forging of Yahoo’s cookies.
A company spokesman said Wednesday that Yahoo has invested more than $250 million in security initiatives since 2012, and that it conducts regular cyberattack simulations to boost its defenses.
“Today’s security landscape is complex and ever evolving, but, at Yahoo, we have a deep understanding of the threats facing our users and continuously strive to stay ahead of these threats to keep our users and our platforms secure,” the spokesman said.
LightCyber’s Nguyen believes the forged cookies represented the first step on the way to the data breaches of some half billion user accounts in one instance and more than a billion in the other. The cookies were the attackers’ means of getting into Yahoo’s system to discover, then steal, data of value, Nguyen said.
The disclosure from Yahoo came as its shaky sale to Verizon moved onto firmer ground Wednesday, after reports indicated the initial $4.8 billion offer has dropped by $250 million to $300 million.
The reported discount, stemming from the revelations last year about the huge hacks, is significantly lower than the $1 billion many analysts believed would be taken off the price.
And news that Verizon would pay less for the struggling Sunnyvale tech giant also suggested that the sale would go ahead in spite of data-breach fallout including lawsuits and potential damage to Yahoo’s brand.
“It certainly brings it closer to reality,” said Pivotal Research analyst Brian Wieser.
Yahoo put itself up for sale in February 2016 and in July accepted Verizon’s bid. But disclosures from the company soon threw the deal into jeopardy.
In September, Yahoo announced that at least 500 million user accounts had been hacked in 2014. Names, email addresses, phone numbers, dates of birth, scrambled passwords and security questions and answers may have been stolen, the company warned. Yahoo said it had discovered the hack through a “recent investigation.” Verizon called the data breach “material” to its purchase. Analysts began questioning the viability of the sale, and predicting that if it did go through, Verizon would receive a deep discount.
Then in November, a Securities and Exchange Commission filing by Yahoo revealed that contrary to its statement about a recent investigation, it knew in 2014 that it had been hacked, but withheld the information from the public and regulators for nearly two years. Yahoo said in the filing that the Verizon sale was at risk because of the data breach.
But that lapse in cybersecurity soon looked paltry in the face of Yahoo’s disclosure in December that hackers in 2013 had stolen the same kinds of personal data from more than a billion user accounts.
Verizon’s most recent statement on the Yahoo purchase said it was still assessing fallout from the larger data breach.
The theft of Yahoo users’ personal data has spawned more than two dozen lawsuits from users, all of them seeking classaction status. Several news outlets reported Wednesday that Yahoo and Verizon would share liability over lawsuits related to the data breaches.
On Wednesday, the Wall Street Journal reported that Verizon would get about $300 million off the sale price of Yahoo, and Bloomberg reported the discount would amount to about $250 million. Both reports were based on unnamed sources.
Pivotal’s Wieser had expected a $1 billion discount.
“It’s positive for Yahoo shareholders, certainly, if the number is more like $300 million,” Wieser said. “That’s certainly positive for Yahoo. It’s positive for Verizon, too, getting the deal out of the way and moving on.
“It’s time to put legacy Yahoo out of its misery.”
Yahoo’s stock price on Wednesday rose 1.4 percent to $45.65, then dipped slightly in after-hours trading to $45.51.