Update: In light of the title of this post, the Irish data protection commissioner, Helen Dixon, says that her office is investigating “next steps” in investigating Yahoo. While I don’t think the U.S. will do anything more than slap Yahoo on the wrist for allowing three billion identities to be compromised, the EU generally takes a different stance on things like this. Come 2018, it could cost companies like Yahoo and others who do business in Europe up to 4 percent of their annual revenue in fines. That’s revenue, not profit. Stay tuned.
Yahoo, just before Verizon acquired it, disclosed first one breach and then another breach. One breach, that occurred in 2014, affected a half billion (500,000,000) people. The other breach, in 2013, affected one billion (1,000,000,000) people.
The effect of this disclosure was to put the deal on hold for several months and then to give the deal a haircut of about $300 to $400 million. For a deal valued at $4 billion plus, that only represents a 10% price reduction, but still, that represents a lot to the Yahoo shareholders. In addition, Yahoo agreed to remain responsible for certain aspects of the breach such as the SEC investigation and penalties and to share some of the other costs. By the time it is all done, it could cost Yahoo shareholders $500-$750 million.
Verizon understood (I hope) that they were buying damaged goods and knew they had their work cut out for them.
Now Verizon is admitting that the 2013 breach affected 3 billion accounts – passwords, security questions, names, email addresses, etc. This is three times what they disclosed before the sale, three times what they disclosed to their customers and three times the number that they disclosed to the SEC. I suspect that won’t make the SEC very happy, but it will likely make the class action attorneys quite joyful.
Verizon says this new data comes from unnamed outside forensics experts. Verizon is not saying WHEN they found out that the breach affected every Yahoo account. In fact they are not saying much of anything. Of course, when the lawsuits move forward, more information may come out.
At least some of the data is available for sale on the dark web. That fact may be the reason that they have revised the numbers up.
To some outsiders, the fact that ALL accounts were affected is not a surprise. After all, they say, the hackers had burrowed in so deeply that it didn’t make sense that only some accounts were affected, but that is what Yahoo told everyone.
Assuming that you had a Yahoo account, hopefully, by now, you have changed your password anywhere that password was used (a great reason NOT to reuse passwords at different sites). The bigger issue is those security questions. If you answered the question of what street were you born on or what was your first car and that data is out in the wild, you can’t retract it.
Or can you?
Remember, most folks don’t care how you answer the question, just that the answer that you gave when you created the account and the answer that you give now match. If your first car was a VW and you said it was a Mercedes, they won’t close your account. Of course, you have to remember what you said, but if you use a password safe, you could store that “fake car” info in the password safe.
One exception to this is when the web site thinks it knows the answers to the questions. Web sites can buy the questions and answers from businesses like Equifax (that should make you feel secure). That service is called “out of wallet” questions and hopefully, any company that has been using one of those services stops immediately since if that security mechanism was ever effective, it is no longer secure now. I was recently asked by a business to answer some of those out of wallet questions and I laughed and asked if they were kidding. Even the guy who was asking the questions laughed, but he was just “following orders”.
If you are responsible for that part of security at your company and you are using out of wallet questions, find a different solution.