Over a year ago, Yahoo (back when it still existed) admitted up to a billion of its email accounts were breached in a massive attack. Evidence then surfaced that the attack was made much easier by Yahoo’s refusal to adopt basic security protocols or to improve its service, out of fear that these changes would drive its users to Gmail or Hotmail, its primary competitors. Now, the company has admitted it wasn’t one billion accounts that were compromised, but three billion. That’s basically everyone who ever had a Yahoo account, ever.
Now, if you used your Yahoo login for a throwaway email account you created 20 years ago, there’s not much chance any of your data was compromised. If you actually relied on it for, well, anything else, you probably had some information stolen. Bloomberg reports the stolen data “didn’t include passwords in clear text, payment data or bank accounts,” which is something, but coming hard on the heels of the Equifax breach earlier this summer it isn’t exactly reassuring.
Verizon had already negotiated itself a $350M price drop on Yahoo when it bought some of the distressed company’s assets last year, and agreed to split the cost of any liabilities related to the breach with Altaba, the former owner of Yahoo’s internet assets. Verizon spun its own purchased division of the company into a new entity, called “Oath” that owns Yahoo’s former assets like AOL and the Huffington Post. Altaba is the name of the holding company that still owns Yahoo’s 15 percent stake in the Alibaba group and a 35.5 percent stake in Yahoo Japan. Yahoo Japan is actually the most-visited website in that country and its internet services dominate the Japanese market (at least, according to Wikipedia).
The anatomy of the 2013 hack, showing how data was moved across various illegal groups. Click to enlarge
Bloomberg spoke to Jan Dawson, an analyst at Jackdaw Capital, who didn’t see the admission as particularly damaging to Yahoo. “Certainly this makes the hack look worse than Verizon and the rest of us thought, but I don’t know that that materially changes the valuation of Yahoo as a company or the ongoing cost of dealing with the hack,” Dawson said in the report.
Yahoo was actually hacked twice, in 2013 and 2014. The US government has accused the Russians government of being involved in the later hack, but the identity of the hackers that struck in 2013 isn’t known. Investigations have shown that the Yahoo data was sold at least three times–twice to various spamming groups that wanted to target email addresses, and once by a group that wanted to verify 10 specific logins and passwords rumored to be linked to various US and foreign officials. This suggests that the third purchase was a highly targeted attempt to gain access to specific accounts by an intelligence agency.
Yahoo has lost significant web traffic since 2013, which suggests more people have migrated away from its email services. Ironically, that’s the very thing the company was hoping to avoid when it didn’t sign off on repairing the flaws that would’ve prevented this attack in the first place.