alphaspirit - Fotolia

Yahoo hacked: One billion users affected by August 2013 data breach, company confirms

Yahoo confirms details of a historic data breach, dating back to 2013, affecting one billion users

One billion Yahoo user accounts were compromised by hackers in August 2013, the internet giant has confirmed, raising questions about what this latest data breach disclosure means for Verizon’s ongoing bid to acquire the company.

Bob Lord, chief information security officer (CISO) at Yahoo, outlined details of the breach in a blog post, and confirmed the perpetrators were unknown, but it is thought they may have used “forged cookies” to access user accounts without needing to know their password.

“We believe an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft,” he said.

Speaking to Computer Weekly, Jonathan Care, a research director at market watcher Gartner, said Yahoo’s lack of clarity on this point was troubling.

“The implication is that Yahoo has overly focused on deploying protective technologies, and has not put in place effective analytics, detection and response systems and processes,” he said.

“From what we do know, the attackers made use of cookie masquerading, pass-the-hash and a state-sponsored actor. This gives strength to the importance of a strong detection plan.”

Breaking the news of the breach

The incident came to light after US law enforcers shared files with the company that a third-party claimed contained Yahoo user data.

“We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” said Lord.

Read more about Yahoo data breaches

“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

The compromised data did not contain passwords in clear text or any financial information belonging to users, Lord added.

“We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords,” he said. “We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account.”

History repeating

This latest breach comes several months after Yahoo revealed details of another historic attack on its systems, dating back to 2014, which led to the personal details of at least 500 million users becoming exposed.

At the time, the incident was reported to be the largest publicly reported breach of its kind, but the August 2013 one is understood to be considerably bigger.

In the blog post, Lord said the company had reason to believe the August 2013 hack was “distinct” from the 2014 incident.

Merger complications

After news of the 2014 hack broke, Yahoo confirmed some staff knew about it several years before details were publicly disclosed, and acknowledged that it could lead to Verizon withdrawing its $4.83bn bid to acquire the company.

In light of its latest disclosure, questions are now being raised about how the news may affect the deal, given Verizon went on record in October 2016 to say the previous breach could pave the way for it to drop its bid.

Paul Glass, a partner in the data protection team at law firm Taylor Wessing, said – at the very least – the latest breach would have a “significant impact” on the deal’s value.

“The scale of the two breaches, coupled with what they appear to show about Yahoo’s approach to security, will surely add even more weight to Verizon significantly lowering the purchase price,” he said.

“It also emphasises the importance of purchasers understanding the security risks of target businesses and building in contractual mechanisms to adjust the price, or even allow them to walk away from the deal if breaches like these come to light before completion.”

Gartner’s Care backed this view, pointing to the downward impact the news of the breach has already had on Yahoo’s stock price.

“It’s clear that there will be an impact on the proposed acquisition, and the markets are reacting to the news. It is disturbing that it has taken so long for the breach to be made public in the light of the data breach notification laws in the US and elsewhere,” he said.

“Clearly, the upshot of this is that we need to realise that it’s no longer a case of ‘if we’re targeted or unlucky’, but that we are all targets.”

Read more on Data breach incident management and recovery