Yahoo isn’t exactly in great shape these days. Now, as Verizon and Yahoo are supposed to be moving to finalize the acquisition of the latter by the former, the situation could get worse, at least for anyone concerned about trusting the company. The company has now revealed that it had 500 million accounts stolen (previous reports pegged the number at 200 million) and that state actors may have been responsible.
There are several ways to read the current situation as it unfolds. First, the data set, which supposedly included account names, passwords (in unspecified form), and birth dates appears to be of little practical value. Motherboard first took note of a sale of 200 million accounts in August, and the low price of $2,000 seems to imply that the information may be incorrect. Motherboard’s own test sample of 5,000 names showed that while many of the addresses were usernames, many of the individuals in question couldn’t be reached, implying the accounts are long out of date.
The fact that this data dump may not be particularly critical, however, doesn’t change the troubling aspects of the case. First, too many companies are only learning about these breaches when hackers put their data up for sale. Even an out-of-date account may yield useful information to hackers — it hands them information about usernames and passwords, and many people don’t change that information nearly as often as they should.
There’s also the ongoing problem of the way huge password dumps can make password cracking much easier. Ars Technica published an excellent piece discussing this in June, and how the evolution of password cracking methods has been dramatically accelerated by the leaks of LinkedIn database. If the Yahoo data contains plain text passwords, the value of that data set in cracking future passwords is much higher than its current value to people who want to hack those specific accounts.
Yahoo’s decision to apparently acknowledge the leak as it moves to complete its own acquisition deal isn’t likely to scuttle the agreement. While Yahoo’s scope and reach have faded in recent years, the company still owns multiple significant web properties and its online businesses reach roughly one billion people. Verizon has stated, “We will evaluate as the investigation continues through the lens of overall Verizon interests … Until then, we are not in position to further comment.”
Yahoo has also confirmed that the 500 million accounts do not include banking information or credit card numbers, and that the hack dates back to 2014, rather than the 2012 date reported by some outlets. “The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” Yahoo said. The company did not indicate why it thought the hack was state-sponsored in any level of detail.