Yahoo, the Multinational Technology Company has confirmed on Thursday that at least 500 million of its accounts were hacked in 2014. It was a theft that appeared to be the world’s biggest known cyber breach by far. The company said that the cyber thieves may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords.
The attack on Yahoo was unprecedented in size, more than triple other large attacks on sites such as eBay, and it comes to light at a difficult time for Yahoo. ‘But some of the most valuable user data was not taken’, the company says.
Here’s Yahoo’s full statement:
“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with encrypting) and, in some cases, encrypted or unencrypted security questions and answers.
The on-going investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the on-going investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently on Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”
Chief Executive Officer Marissa Mayer is under pressure to shore up the flagging fortunes of the site Yahoo founded in 1994, and the company in July agreed to a $4.83 billion cash sale of its internet business to Verizon Communications Inc. On its website on Thursday, Yahoo encouraged users to change their passwords but did not require it. Although the attack happened in 2014, Yahoo only discovered the incursion after August reports of a separate breach.
In addition, internal sources at Yahoo said the company had been subjected to a number of previous incidents that were not managed swiftly by CEO Marissa Mayer. This whole incident was first revealed in August when “Peace,” an infamous cybercriminal, advertised the sale of user credentials for some 200 million Yahoo users on the “dark web.”
Steven Caponi, an attorney at K&L Gates with a practice including merger litigation, said that Yahoo’s breach could fall under the “material adverse change” clause common in mergers allowing a buyer to walk away if its target’s value deteriorates.
“That would give Verizon the opportunity to renegotiate the terms or potentially walk away from the transaction if it is a material change. Whether it is a material change will depend in large part on what kind of information was compromised,” Caponi said.
Finally, Technology website Recode first reported Tuesday that Yahoo planned to disclose details about a data breach affecting hundreds of millions of users.