Yahoo has recently suffered a data breach in which the data of 500 million accounts were stolen. And while Yahoo voluntarily came out and admitted to what happened, the lack of details in its press release left a lot of unanswered questions.
Yahoo has specified that besides names and email addresses, user info such as date of birth, telephone number, hashed password (majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers were also stolen.
"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected," says Yahoo.
Why Did It Take Two Years For The Disclosure?
Bear in mind that these information were stolen in late 2014. So one has to wonder why it took two years for Yahoo to disclose that half a billion accounts are compromised.
The Sunnyvale-based company did not specify when it uncovered the information got stolen from its database. Did they not know until recently? If this is the case, however, then it puts Yahoo in a peculiar spot where its ability to provide data security becomes questionable.
Maybe the company has been aware of it for some time now. Then again, why would it take such a long time before an advisory got published? Either way, Yahoo's credibility takes a blow.
Who Did It?
Yahoo says that a "state-sponsored actor" is responsible for the intrusion without giving any specifics regarding the culprit/s.
"With no technical details included in Yahoo's report about how the data was exfiltrated, just that it was, it's impossible to assess credibility of the 'state sponsored' claim," Chris Hodson of enterprise security firm Zscaler tells The Guardian.
Early in August, reports of a hacker, known only as "Peace" or "Peace of Mind," selling 200 million Yahoo accounts over the dark web surfaced. However, analysts say that Peace does not fit Yahoo's description of the culprit for the late 2014 data breach since it's not typical of a state-sponsored hacker to sell/profit from the looted dumps.
Note that this hacker was also behind the MySpace and LinkedIn data breaches that was reported in May. Information on roughly 427 million MySpace accounts and 117 million LinkedIn accounts were hacked and sold over the dark web.
Moreover, Peace told Motherboard that the dumps he/she took were from 2012. Hence, it is likely that there is another hacker aside from Peace.
Yahoo says that it is working with the law enforcement regarding the matter.
What Happens To The Verizon-Yahoo Acquisition Deal?
It is no secret that Verizon is well on its way to closing $4.83 billion deal for acquiring Yahoo. However, Yahoo's data breach report may prompt Verizon to make adjustments regarding the deal.
"We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities," Verizon said in response to Yahoo's revelation.