Is it too late for Verizon to get some more of its money back?
After the entity responsible for selling Yahoo agreed to cut $350 million off the company’s sales price earlier this year following revelations that hackers had stolen sensitive account information of as many as 1.5 billion user accounts during two separate data breaches, the Wall Street Journal is now reporting that the scale of one of those intrusions was much larger than initially believed.
A 2013 data breach that was initially believed to have impacted 1 billion, actually impacted all of Yahoo's 3 billion user accounts, Verizon announced on Tuesday. Verizon’s acquisition of Yahoo formally closed in June after contentious negotiations that were complicated by the discovery of the hacks. The smaller of the two incidents, which took place in 2014, was first disclosed to the public last September. It reportedly involved 500 million user accounts. Three months later, in December, the company publicized the 2013 hack.
The stolen data included names, email addresses, dates of birth, telephone numbers and encrypted passwords, Yahoo has said. In October, before the second breach was even disclosed, Verizon signaled that it would likely consider the data breach to be a “material event”, allowing it to change the terms of its deal to buy Yahoo, which it did in February.
As WSJ pointed out, the disclosure shows that executives are still coming to grips with Yahoo's myriad security problems.
Even before the number of affected user accounts was revised higher to 3 billion, the breach was still the largest on record by number affected. However, most experts consider the Equifax breach, which involved sensitive financial and personal information like credit card, social security and drivers’ license numbers, more damaging than the Yahoo breach.
A spokesman for Oath, the new name of Verizon’s Yahoo unit, said the company determined last week that the break-in was much worse than thought, after it received new information from outside the company. He declined to elaborate on the source of that information. Compromised customer information included usernames, passwords, and in some cases telephone numbers and dates of birth, the spokesman said.
Fortunately for Yahoo executives, as part of the revised deal, Verizon agreed to forfeit the right to sue Yahoo for allegedly covering up the hacks. Meanwhile, the entity selling Yahoo has retained liability for an SEC investigation that was launched in January, as well as any shareholder lawsuits related to the deal itself.