This is A NEW ONE; Yahoo Suffers World's Biggest Hack Affecting 1 Billion Users
[color=rgba(0, 0, 0, 0.65098)]Marcio Jose Sanchez/AP Photo[/color]
By MICHAEL LIEDTKE, AP TECHNOLOGY WRITER
SAN FRANCISCO — Dec 14, 2016, 10:34 PM ET
Share
[/url]
[url=http://twitter.com/intent/tweet?text=Yahoo+Suffers+World%27s+Biggest+Hack+Affecting+1+Billion+Users+-+ABC+News+-+http%3A%2F%2Fabcn.ws%2F2gC7ZQj&via=ABC]
Yahoo has discovered a 3-year-old security breach that enabled a hacker to compromise more than 1 billion user accounts, breaking the company's own humiliating record for the biggest security breach in history.
The digital heist disclosed Wednesday occurred in August 2013, more than a year before a separate hack that Yahoo announced nearly three months ago .
That breach affected at least 500 million users, which had been the most far-reaching hack until the latest revelation.
"It's shocking," security expert Avivah Litan of Gartner Inc.
Both lapses occurred during the reign of Yahoo CEO Marissa Mayer, a once-lauded leader who found herself unable to turn around the company in the four years since her arrival.
Earlier this year, Yahoo agreed to sell its digital operations to Verizon Communications for $4.8 billion — a deal that may now be imperiled by the hacking revelations.
TWO HACKS, MORE THAN A BILLION ACCOUNTS
Yahoo didn't say if it believes the same hacker might have pulled off two separate attacks. The Sunnyvale, California, company blamed the late 2014 attack on a hacker affiliated with an unidentified foreign government, but said it hasn't been able to identify the source behind the 2013 intrusion.
Yahoo has more than a billion monthly active users, although some have multiple accounts and others have none at all. An unknown number of accounts were affected by both hacks.
In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers.
The company says it believes bank-account information and payment-card data were not affected.
But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing.
But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.
That could mean trouble for any users who reused their Yahoo password for other online accounts. Yahoo is requiring users to change their passwords and invalidating security questions so they can't be used to hack into accounts. (You may get a reprieve if you've changed your password and questions since September.)
Security experts said the 2013 attack was likely the work of a foreign government fishing for information about specific people. One big tell: It doesn't appear that much personal data from Yahoo accounts has been posted for sale online, meaning the hack probably wasn't the work of ordinary criminals.
That means most Yahoo users probably don't have anything to worry about, said J.J. Thompson, CEO of Rook Security.
QUESTIONS FOR VERIZON
News of the additional hack further jeopardizes Yahoo's plans to fall into Verizon's arms. If the hacks cause a user backlash against Yahoo, the company's services wouldn't be as valuable to Verizon, raising the possibility that the sale price might be re-negotiated or the deal may be called off.
The telecom giant wants Yahoo and its many users to help it build a digital ad business.
After the news of the first hack broke, Verizon said it would re-evaluate its Yahoo deal and in a Wednesday statement said it will review the "new development before reaching any final conclusions." Spokesman Bob Varettoni declined to answer further questions.
At the very least, the security lapses "definitely will help Verizon in its negotiations to lower the price," Litan predicted. Yahoo has argued that news of the 2014 hack didn't negatively affect traffic to its services, strengthening its contention that the Verizon deal should be completed under the original terms.
"This just adds to fuel to the fire and it won't help Yahoo's cause," said Eric Jackson, a longtime critic of the company's management. Although he has in the past, Jackson doesn't currently own Yahoo stock.
Investors appeared worried about the Verizon deal. Yahoo's shares fell 96 cents, or 2 percent, to $39.95 after the disclosure of the latest hack.
==========
==========
Yahoo Discloses New Breach of 1 Billion User Accounts
[color=rgba(27, 27, 27, 0.65098)]Verizon, which has struck a deal to buy company’s core business, will review impact of new breach[/color]
By
Robert McMillan,
Ryan Knutson and
Deepa Seetharaman
Updated Dec. 15, 2016 5:19 p.m. ET
The 1 billion users affected by Wednesday’s Yahoo cyberattack news are the most recent victims of the rising data breach issue across the world. Here’s a look back at the last few years’ biggest breaches. Photo: Robert Galbraith/Reuters
A newly discovered data breach exposed the private information of more than 1 billion Yahoo users, the company said, dwarfing the scope of another recently disclosed hack and casting doubt on Verizon Communications Inc.’s planned acquisition of the internet company.
The 2013 theft is separate and twice as large as a 2014 hack that Yahoo Inc. disclosed earlier this year. That hack had been billed as likely the largest-ever theft of personal data.
Unidentified hackers penetrated Yahoo’s network in August 2013 and stole data including names, email addresses, telephone numbers, dates of birth and passwords, the company said. Yahoo said it believes the incident is distinct from the 2014 hack, and that the hackers are no longer in its corporate network.
The new disclosure could jeopardize Verizon’s $4.83 billion acquisition of Yahoo’s core internet business, a deal announced in July and expected to close in early 2017. In October, Verizon signaled it could consider the 2014 breach a material event that could allow it to change the deal terms.
The companies were discussing the impact of that first breach when the second was discovered. Verizon learned of the latest breach in the past few weeks, a person familiar with the matter said. The company still has all options on the table, including renegotiating the deal’s price or walking away, the person said.
[color=rgba(0, 0, 0, 0.65098)]Yahoo says more than a billion users were affected by a data breach that it says occurred in 2013. WSJ personal technology editor Wilson Rothman and WSJ's Tanya Rivero discuss tips for protecting yourself against future breaches. Photo: Getty[/color]
“We will evaluate the situation as Yahoo continues its investigation,” Verizon said Wednesday.
“We will review the impact of this new development before reaching any final conclusions.”
A spokesman said Yahoo is confident in the company’s value and is continuing with its integration plans. “We have been in communication with Verizon leadership throughout the investigation,” he said.
Verizon had been negotiating with Yahoo over how much liability the remaining Yahoo company would shoulder for future liabilities associated with the 2014 hack, people familiar with the matter said. Verizon wasn’t trying to reduce the purchase price of Yahoo because the cost of future liabilities—if any—is unknown, the people said, therefore asking for a price discount would effectively be a bet.
The sides were close to an agreement, the people familiar said, but that has been derailed after the discovery of this latest, larger breach. Now, Verizon will again wait to see how much the hack affects the number of users or the overall value of the company.
Yahoo’s assets, which include websites such as Yahoo Finance, Sports and News, still make strategic sense for Verizon, one of the people said. If Verizon finds that the overall value of Yahoo hasn’t changed, then the issue could be resolved by simply splitting future liabilities.
[img=700x0]https://si.wsj.net/public/resources/images/BF-AM746_YAHOO_9U_20161214182406.jpg[/img]ENLARGE
Yahoo isn’t sure how many records in total were taken during the two incidents, because a subset of the 1 billion stolen in 2013 were likely also taken in 2014, the company spokesman said. Yahoo learned of the 2013 breach in November when law enforcement provided the company with “data files that a third party claimed was Yahoo data.”
The 2014 break-in was done by a state-sponsored actor, Yahoo has said, but it isn’t clear who was behind the 2013 incident.
In September, The Wall Street Journal reported that criminals were selling access to a database of user accounts and that portions of that database had been obtained by the security research firm InfoArmor Inc.
In early November, InfoArmor handed over tens of millions of these record to the Federal Bureau of Investigation, the company said Tuesday.
Now Yahoo’s users are again being urged to review all of their online accounts and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account.
It also recommended users avoid clicking links or downloading attachments from suspicious emails and remain cautious of unsolicited communication asking for personal information.
Separately, Yahoo, which had previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password, said Wednesday it believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies.
Yahoo is notifying affected account holders, and has invalidated the forged cookies.
Shares in the company lost more than 2% after hours to $39.91.
—Anne Steele contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com, Ryan Knutson at ryan.knutson@wsj.com and Deepa Seetharaman at Deepa.Seetharaman@wsj.com