Yahoo announces large scale theft/loss/breach of 1 Billion personal account details.
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.
Some thoughts that occur to me in no particular order:
- Yahoo was comprehensively owned by the attacker to get so much data.
- Yahoo security must have been very poor
- Not a single reaction from law enforcement or the legal community.
- Or political government in any jurisdiction (that I can find)
- Verizon will probably use this as a excuse to further reduce the price for buying that part of Yahoo Inc that got breached i.e. web business.
- Yahoo share price is basically unchanged. Two reasons, 1) because no one cares 2) most of Yahoo share valuation relates to ownership of other business, not the Yahoo.com website.
- Yahoo has known about this since 2013 and kept it private. You could easily speculate that someone/something has forced Yahoo execs to publish this information when it will have real impact on the Verizon takeover. I’d like to know why they are announcing this now ?
It strikes me that Yahoo’s widespread poor reputation may be linked to this issue. A billion accounts means that many tens of millions of people have likely been breached with this information. Their email may have been accessed, passwords used to compromise other services, access to personal details for security questions, and so on. A comprehensive profile of basic computer security could be used to extend the value of this compromise.
Building a direct correlation would be difficult but the sheer number of people affected may have led to the community view that Yahoo isn’t very good.
Which it isn’t. Obviously. And not just for security.