By Robert McMillan
Yahoo Inc. is blaming "state-sponsored" hackers for what may be
the largest-ever theft of personal user data.
The internet company, which has agreed to sell its core business
to Verizon Communications Inc., said Thursday that hackers
penetrated its network in late 2014 and stole personal data on more
than 500 million users. The stolen data included names, email
addresses, dates of birth, telephone numbers and encrypted
passwords, Yahoo said.
Yahoo said it believes that the hackers are no longer in its
corporate network. The company said it didn't believe that
unprotected passwords, payment-card data or bank-account
information had been affected.
Computer users have grown inured to notices that a tech company,
retailer or other company with which they have done business had
been hacked. But the Yahoo disclosure is significant because the
company said it was the work of another nation, and because it
raises questions about the fate of the $4.8 billion Verizon deal,
which was announced on July 25.
In July, Yahoo began investigating claims by hackers who were
offering to sell what they said were 280 million Yahoo usernames
and passwords. Yahoo said it concluded the information for sale
wasn't legitimate, but the company decided to broaden its probe,
eventually determining that it had been breached by "a
state-sponsored actor."
In a proxy filing related to the Verizon deal on Sept. 9, Yahoo
said it wasn't aware of any "security breaches" or "loss, theft,
unauthorized access or acquisition" of user data. Yahoo declined to
comment on the filing.
Yahoo didn't say how the hackers broke into its network or which
country sponsored the attacks.
The intrusion, in late 2014, came during a period when many
computer attacks, including on the federal Office of Personnel
Management and health insurer Anthem Inc. were believed to be the
work of China. More recent hacks, however, including of the
Democratic National Committee earlier this year, have been blamed
on Russia. Both countries have denied involvement in the hacks.
It isn't uncommon for data breaches to go unreported for years.
In May, Myspace notified users of a 2013 breach; the same month,
LinkedIn Corp. also notified users that a 2012 incident, thought to
have affected just 6.5 million accounts, had actually compromised
more than 100 million.
"The FBI is aware of the intrusion and investigating the
matter," the Federal Bureau of Investigation said. "We take these
types of breaches very seriously and will determine how this
occurred and who is responsible."
Verizon said it was notified of the breach earlier this week.
"We understand that Yahoo is conducting an active investigation of
this matter, but we otherwise have limited information and
understanding of the impact," Verizon said in a statement. "We will
evaluate as the investigation continues."
B. Riley & Co. analyst Sameet Sinha said the breach is
unlikely to affect terms of the Verizon deal.
"Data breaches have become part of doing business now," he said,
adding that Microsoft Corp. agreed to buy LinkedIn for $26.2
billion in June, one month after LinkedIn notified users of the
broader scope of its 2012 breach.
But Stephen S. Wu, a technology lawyer at the Silicon Valley Law
Group, said the language assuring that no security breaches had
occurred might give Verizon leverage to renegotiate the deal, or
even to walk away.
The Yahoo breach appears to be the largest ever disclosed, based
on the number of users affected, said Paul Stephens, director of
policy and advocacy with Privacy Rights Clearing House, a
not-for-profit group that compiles information on data breaches.
Credit-card processor Heartland Payment Systems Inc. said roughly
130 million credit- and debit-card numbers had been stolen in a
2009 hack.
The Yahoo breach, and the timing of the disclosure, quickly
reverberated in Washington. Sen. Mark Warner, D-Va., said in a
statement, "I am perhaps most troubled by news that this breach
occurred in 2014, and yet the public is only learning details of it
today."
Yahoo's breach is the latest in a series of compromises that
have put billions of consumer usernames and email addresses at
risk. One website, called Leaked Source, sells a searchable list of
more than two billion credentials.
While many other companies have disclosed large-scale breaches
recently, the fact that Yahoo is linking its hack to
state-sponsored hackers is noteworthy. U.S. intelligence officials
have said China-based attacks have declined in recent months,
following a 2015 agreement between the U.S. and China.
Over the past year, Russia has gradually taken China's place as
the primary suspect of attacks on U.S. systems. Two hacking groups
-- linked by security researchers and U.S. government officials to
Russia -- have published email messages belonging to public
figures, including private Gmail messages belonging to former
Secretary of State Colin Powell.
The Yahoo data could be used to obtain the personal
correspondence of public figures. "For a government, the real value
would be to look for people with real value," said Matthew Green, a
computer science professor at Johns Hopkins University. "Maybe you
don't get classified information, but some of those Colin Powell
emails were very interesting."
Yahoo said the stolen passwords were encrypted, but
computer-security experts said a determined attacker could
unscramble passwords -- especially simple passwords -- using
commonly available "cracking" software. Once cracked, hackers could
break into Yahoo accounts and -- if the password happened to be
reused on another web service -- possibly other websites too.
Security experts recommend that consumers add a "second factor"
of authentication to their online accounts. Typically this means
receiving a short code via text message every time the user logs in
from an unknown computer.
Yahoo says that its users should change their passwords and
security questions, and avoid using the same password on multiple
accounts.
--Anne Steele, Ryan Knutson, Damian Paletta contributed to this
article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
September 23, 2016 02:47 ET (06:47 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Mar 2024 to Apr 2024
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Apr 2023 to Apr 2024