clock menu more-arrow no yes

Yahoo has confirmed a data breach with 500 million accounts stolen, as questions about disclosure to Verizon and users grow

It’s much worse than initially thought.

TechCrunch Disrupt SF 2014 - Day 3 Steve Jennings/Getty Images for TechCrunch

Yahoo confirmed today that it had been subject of a massive hacking attack that exposed the data of at least 500 million users.

Recode previously reported that Yahoo was about to reveal the breach and Yahoo had declined to comment when contacted last night. Now, the company is unveiling a situation much worse than expected, although the Recode report noted that it would be.

Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and one was selling them online. “It’s as bad as that,” said one source. “Worse, really.”

Here’s Yahoo’s full statement, in which they blame an unspecified state-sponsored actor:

“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”

The announcement has huge implications on Yahoo’s pending deal to be bought by Verizon for $4.8 billion. Sources at Verizon said they were largely unaware of the severity of the attack until recently and that CEO Marissa Mayer and others did not flag them as to the extent of the issue in the bidding process.

You can read that ire clearly between the lines in a statement from Verizon-owned AOL, which is expected to be integrated with Yahoo when the deal is complete.

"Within the last two days, we were notified of Yahoo's security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."

I can tell you that Verizon management is not happy about Yahoo’s disclosures, and other bidders contacted also said Yahoo execs did not outline the seriousness of the situation in their acquisition meetings either. Seems pertinent to me!

In addition, internal sources at Yahoo said the company had been subjected to a number of previous incidents that were not managed swiftly by CEO Marissa Mayer. One executive close to the situation said that former Yahoo information security head Alex Stamos had tried aggressively to get management to act more strongly at the time, but he had not been successful. The well-regarded techie left Yahoo in mid-2015 for a job as chief security officer at Facebook.

This whole incident was first revealed in August when “Peace,” an infamous cybercriminal, advertised the sale of user credentials for some 200 million Yahoo users on the “dark web.” The data included user names, some passwords and personal information like birth dates and other email addresses.

At the time, Yahoo said it was “aware of the claim,” but declined to say if it was legitimate. Instead, it opened an investigation, but did not issue a call for a password reset to users.

Among the questions I would like to ask Yahoo if they ever called back — instead of opting to pre-brief more cooperative outlets: Is this the biggest data breach ever? Why did it take two years to discover and/or disclose the breach? What other breaches have there been? Who made the decision not to warn users and urge systemwide password resets? And, of course, why didn’t management make the dire situation more clear to bidders for Yahoo’s core business, which is the part of the company impacted?

Waiting by the phone for Yahoo to call back with answers, so we’ll be here a while.

This article originally appeared on Recode.net.