Yahoo suffers from another historic hack.
Global attention diverted to cyber security when Yahoo announced on 14th December 2016 that almost one billion of the company’s user accounts were compromised in August 2013. To every one’s surprise, it is double the number implicated in an enormous security breach in 2014 reported in September.
Worryingly, the victims include more than 150,000 US civil-military employees and more seriously, current and former staff of the White House and the security agencies, erupting hot debates on US national security. The major concern echoing in US political and cyber security spheres is the company’s blatant inefficiency to take such a long time to discover and disclose the fact.
Explaining the ominous situation, Yahoo told Reuters that it discovered the hack while reviewing some data files provided by law enforcement agencies, which according to a third party, belonged to the company. Forensic verification by foreign experts confirmed that “an unauthorized third party” hacked more than one billion user accounts in August 2013.
The theft has yet to be traced, as Yahoo’s Chief Information Security Officer Bob Lord said they are still far from identifying “the intrusion associated with this theft.”
The company reveals that the stolen information includes “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answer… (However) did not include passwords in clear text, payment card data, or bank account information.” It puts Yahoo’s all cyber security measures to serious questions, as each of them proved to be inefficient including MD5.
The company further confirms that forensic experts believe that the hackers would have used forged cookies to get an access to a user’s account without needing any password. It alarmed critics who opine that a breach on such a large scale is an anticipated outcome of an established unserious attitude towards prioritizing network security and digital infrastructure in the budget. And Yahoo, specifically, has shown an incredible lethargy in this regard. The company however has started notifying the affected users and recommending them new passwords.
Meanwhile, this announcement has jeopardized company’s financial standing, as it had a deal to sell itself to Verizon for $4.8 billion in July, which seems to be endangered now. “We will review the impact of this new development before reaching any final conclusions,” Spokesman Bob told media. The Investors too appeared shaky about the Verizon deal. Consequently, Yahoo’s shares fell 2 percent, to $39.95 after the disclosure of the latest hack.
On the other hand, the company’s stance on this entire situation is quite hopeful, as it has been in communication with Verizon during its investigation into the theft and is convinced that the matter will not harm the pending deal, Yahoo told media. Moreover, the ongoing investigation could find information that might bring a substantial change in the final conclusions.
Nevertheless, in a situation where Yahoo is not confident to declare its cyber systems fully secured, there is still a chance that more grave issues might be discovered.