Yahoo’s massive data breach in which at least 500 million user accounts have been hacked may be “the straw that breaks the camel’s back” and complicate its planned sale to Verizon, says Centrify's Corey Williams.
In a blog post published today, Williams, senior director of products and marketing at the identity management firm, says that Yahoo was facing an existential crisis and that the incident could be its “last hurrah”.
“Already besieged by business execution issues and enduring a sale to Verizon, this may be the straw that breaks the camel’s back,” Williams, who said he had been a Yahoo email user since 1997, wrote. “Since this breach occurred in 2014 and wasn’t properly communicated or handled in a timely manner, it may very well give Verizon an ‘out’ or a reason to renegotiate.”
Yahoo CISO Bob Lord admitted the breach on the company’s Tumblr blog yesterday, saying that information from at least 500 million user accounts had been stolen in late 2014 by what it believed to be a state-sponsored actor.
Information may have included “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers”, Lord wrote.
The hack was publicly disclosed after data was offered on a hacker forum and stands as the biggest hack the world has ever seen. Until Thursday, the largest known hack was the 2008 breach that hit almost 360 million MySpace accounts, according to a ranking by the ‘Have I been pwned’ website.
Centrify's Williams, who claims he was ‘loyal’ to Yahoo even when superior email services came available, criticised Yahoo’s reaction to the hack.
“Yahoo is trying to say and do the right things by stating that a ‘state-actor’ was responsible, that the FBI is aware, and that users should change their password and turn on a second factor authentication. But they go on to minimise the issue by using phrases including state-sponsored attacks 'have become increasingly common' and 'Yahoo and other companies have launched programs to detect and notify users'. As if it is just business as usual to notify customers and move on.
“Even though they were aware of the claim for at least the past couple of months, they are just now admitting that it is, in fact, true.”
Verizon issued a statement saying that they had only been notified of the incident in the last two days.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment,” the company said in a statement.
In July, Yahoo announced the sale of its core operating business to Verizon for US$4.8 billion in what was dubbed the "saddest $5 billion deal in tech history".