Update: That didn’t take long. Sources have told Bloomberg that Verizon is exploring either paying significantly less for Yahoo or walking away from the deal entirely. Verizon is reportedly seeking a way to ensure that any future legal liability or disclosures fall solely on Yahoo in the event that Verizon acquires it. Bloomberg also reports that up to 150,000 government accounts were also affected. Original story below:
Well, this is just dandy. Earlier this year, Yahoo announced that it had suffered one of the largest hacks in history, with up to 500 million user accounts affected. Now, the company has come clean about an even bigger hack that happened a year earlier and exposed sensitive information on approximately one billion accounts. The most surprising thing about this, of course, is that one billion people had Yahoo accounts to start with.
Here’s where things take a further detour into the ridiculous. In September 2016 we found out about a series of hacks that hit Yahoo back in 2014. Now, at the tail end of the year, we’re hearing that an even larger attack in 2013 not only captured more information, it captured vastly more sensitive data including plaintext security answers to identity questions. Yahoo is now requiring everyone to change their security passwords and is invalidating all of its old questions, but this isn’t just a case of locking the barn after the horse has escaped — the horse has already died of old age.
Yahoo CEO Marissa Mayer
Yahoo apparently only found evidence of these attacks after analyzing log files provided to it by law enforcement. Said files came from a third party who claimed they held information on Yahoo, which means the company didn’t even find this independently — it had to be handed the evidence others had gathered. Verizon is still expected to buy Yahoo, but the company talked publicly about potentially seeking a lower price in the wake of the earlier hack, and now Yahoo has a problem literally twice as big on its hands. This time, the hack actually involved personal information and could be easily mined for additional information on how users tend to select passwords.
Hacks and security breaches are far more useful to black hats than just a list of passwords and logins. By creating dictionaries based on passwords people actually use, black hats can accelerate how quickly and effectively they are able to breach future accounts. In theory, users should create a different login and password for every site, but very few people do so. Most of us use a handful of passwords, at best, or a single common password that’s rotated out over time. Meanwhile, Yahoo took a short view on security for several years, possibly out of fear of losing users, possibly because the company had ideas for monetizing mass surveillance in ways the old East German Stasi would’ve envied.
But more than anything, this just highlights how little society — or businesses — care about online security. Breaches are treated as non-events, even when critical information is exposed, and even when that data could be used to target individuals for theft. If you have access to someone’s email, you may well have access to information about their ongoing medical care, their bank accounts, billing statements, or other personally identifiable information. To coin an analogy: If the USPS announced that it had lost over a billion pieces of physical mail, people would be up in arms about it — but a hack of sensitive user information that may have exposed tens or hundreds of billions of pieces of mail (depending on which information was stolen and how it was used) stirs scarcely a ripple.
If you’ve still got a Yahoo account, it’s probably time to dump it. Use Outlook.com, or Gmail, or any other third-party provider you like, but don’t keep using a company that plainly cares so little for your own privacy and security — unless, of course, you don’t care either.
