With just months to go before it’s set to be acquired by Verizon for $4.83 billion, Yahoo confirmed today that a massive data breach four years ago affected some 500 million Yahoo users.
First reported by Motherboard in early August, the breach came to light after the Yahoo credentials were listed for sale on the dark web. Offered by a hacker using the name “Peace” for the price of three bitcoins (about $1,800), the user data appeared to have been taken in a breach that occurred in 2012.
“We are aware of a claim,” a Yahoo spokesperson first told us on August 2. “We are committed to protecting the security of our users’ information and we take any such claim very seriously.”
Confirmation Anticipated, Then Confirmed
In a report published earlier today, tech site re/code cited “several sources close to the situation” who said Yahoo would soon confirm the 2012 massive breach of user accounts. Noting that legal action and government investigations were likely, those sources told re/code the breach was widespread and serious. “It’s as bad as that,” according to one source. “Worse, really.”
Security developer Troy Hunt was among those closely watching the Yahoo developments today. Hunt, who runs the breach-related Web site, “Have I been pwned?,” noted in several tweets today that he and others had received email or sign-on notifications from Yahoo recommending a change in passwords to secure their accounts.
“More Yahoo breach indicators (this could happen any time, but a lot of signals lining up at once right now),” Hunt said on Twitter earlier this morning.
Official confirmation came mid-day today, when Yahoo chief information security officer Bob Lord confirmed in a post on the company’s Tumblr account that “information associated with at least 500 million users accounts was stolen” in late 2014 by someone believed to be a “state-sponsored actor.”
Lord said Yahoo is working closely with law-enforcement authorities but believes the stolen information did not include unprotected passwords, payment card data or bank account information. Yahoo is taking a number of actions to protect its users, he added, and is urging users to change their passwords, security questions and answers if they haven’t done so since 2014.
Verizon Closing Set for Early 2017
Announced in July, the pending sale of Yahoo to Verizon would see the telco gain a digital media property with more than 1 billion monthly active users. Verizon is expected to tap into that user base and the advertising opportunities it offers to fuel new growth as its own mobile services business continues to shift.
Set to be finalized in the first quarter of 2017, the all-cash deal would expand Verizon’s holdings with the addition of Yahoo’s online news, finance and sports properties. Verizon would also gain Yahoo’s 225 million email service users as well as its advertising technology assets such as Brightroll, Flurry and Gemini.
Verizon made a similar acquisition in 2015, when it purchased AOL for $4.4 billion. That transaction expanded Verizon’s portfolio with the addition of digital properties including The Huffington Post, TechCrunch and Engadget, as well as AOL.com.
“The addition of Yahoo to Verizon and AOL will create one of the largest portfolios of owned and partnered global brands with extensive distribution capabilities,” Verizon said in its July 25 announcement. “Combined, AOL and Yahoo will have more than 25 brands in its portfolio for continued investment and growth.”
Verizon’s Response to the Breach
A spokesperson for Verizon emailed us this afternoon with the following statement: “Within the last two days, we were notified of Yahoo’s security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”
Editor’s note: This story was updated to include Yahoo’s confirmation and Verizon’s response.