(Adds comments from financial analyst, M&A lawyer, hack
By Dustin Volz
Sept 22 Yahoo Inc said on Thursday that
at least 500 million of its accounts were hacked in 2014 by what
it believed was a state-sponsored actor, a theft that appeared
to be the world's biggest known cyber breach by far.
Cyber thieves may have stolen names, email addresses,
telephone numbers, dates of birth and encrypted passwords, the
company said. But unprotected passwords, payment card data and
bank account information did not appear to have been
compromised, signaling that some of the most valuable user data
was not taken.
The attack on Yahoo was unprecedented in size, more than
triple other large attacks on sites such as eBay Inc,
and it comes to light at a difficult time for Yahoo.
Chief Executive Officer Marissa Mayer is under pressure to
shore up the flagging fortunes of the site founded in 1994, and
the company in July agreed to a $4.83 billion cash sale of its
internet business to Verizon Communications Inc.
"This is the biggest data breach ever,"� said well-known
cryptologist Bruce Schneier, adding that the impact on Yahoo and
its users remained unclear because many questions remain,
including the identity of the state-sponsored hackers behind it.
On its website on Thursday, Yahoo encouraged users to change
their passwords but did not require it.
Although the attack happened in 2014, Yahoo only discovered
the incursion after August reports of a separate breach. While
that report turned out to be false, Yahoo's investigation turned
up the 2014 theft, according to a person familiar with the
Analyst Robert Peck of SunTrust Robinson Humphrey said the
breach probably was not enough to prompt Verizon to abandon its
deal with Yahoo, but it could call for a price decrease of $100
million to $200 million, depending on how many users leave
Steven Caponi, an attorney at K&L Gates with a practice
including merger litigation, said that Yahoo's breach could fall
under the "material adverse change" clause common in mergers
allowing a buyer to walk away if its target's value
"That would give Verizon the opportunity to renegotiate the
terms or potentially walk away from the transaction if it is a
material change. Whether it is a material change will depend in
large part on what kind of information was compromised," Caponi
Still, it is rare for mergers to fall apart over material
changes. Verizon said in a statement it was made aware of the
breach within the last two days and had limited information
about the matter.
"We will evaluate as the investigation continues through the
lens of overall Verizon interests," the company said.
Shares of Yahoo stock closed a penny higher at $44.15, while
shares of Verizon, were up about 1 percent.
The Yahoo breach follows a rising number of other
large-scale data attacks and could make it a watershed event
that prompts government and businesses to put more effort into
bolstering defenses, said Dan Kaminsky, a well-known internet
Retailers and health insurers have been especially hard hit
after high-profile breaches at Home Depot Inc, Target
Corp, Anthem Inc and Premera Blue Cross.
"Five hundred of the Fortune 500 have been hacked," he said.
"If anything has changed, it's that these attacks are getting
Three U.S. intelligence officials, who declined to be
identified by name, said they believed the attack was
state-sponsored because of its resemblance to previous hacks
traced to Russian intelligence agencies or hackers acting at
Yahoo said it was working with law enforcement on the
matter, and the FBI said it was investigating.
"The investigation has found no evidence that the
state-sponsored actor is currently in Yahoo's network," the
While the breach comprised mostly low-value information, it
did include security questions and answers created by users
themselves. That data could make users vulnerable if they use
the same answers on other sites.
A former Yahoo employee said the Q&A were deliberately left
unencrypted, which allowed Yahoo to catch fake accounts more
easily because fake accounts tended to reuse questions and
News of the massive breach at one of the nation's largest
email providers may fan concern that U.S. companies and
government agencies are not doing enough to improve cyber
Democratic Senator Mark Warner said in a statement he was
"most troubled by news that this breach occurred in 2014, and
yet the public is only learning details of it today."
Technology website Recode first reported Tuesday that Yahoo
planned to disclose details about a data breach affecting
hundreds of millions of users.
(Reporting by Aishwarya Venugopal in Bengaluru and Dustin Volz
in Washington; additional reporting by Jim Finkle in Boston,
Lauren Hirsch in New York, and Joseph Menn and Deborah Todd in
San Francisco, writing by Alwyn Scott; editing by Peter
Henderson and Cynthia Osterman)