In September, Yahoo! admitted that it had been hacked, with half a billion accounts affected. The theft, the company said at the time, could have included names, e-mail addresses, telephone numbers, dates of birth, and even encrypted or unencrypted security questions and answers.
So far, so bad. But, say experts, the company made things even worse for itself by handling the breach as it did. Indeed, the news has thrown a massive spanner in the works of its pending acquisition by Verizon.
“How many times has Verizon now hinted that it needs to go back and look at the value of Yahoo! because there is clear damage to the brand?” asks Kevin Bocek, chief security strategist at Venafi, which analysed the breach. “It’s taken at least $1 billion off the value of Yahoo!”
So what did Yahoo! do wrong? Firstly, and perhaps most shockingly, the company took two years to alert users to the fact that their data had been stolen.
“In this time, a great deal of additional harm will have occurred to the comprised accounts, ranging from account hijacking through to identity theft and fraud,” says Jamie Graves, co-founder and chief executive of security firm ZoneFox.com.
Yahoo! has also been criticised for saying just a week or two before the disclosure that it wasn’t aware of any security breaches.
In fact, the company seems to have been remarkably blasé about the effects of its revelations. When Venafi investigated it found that in the three months running up to the announcement, only 2.5 per cent of security certificates had been replaced.
“They were just going ahead with everyday business, but it seems a bit surprising for an organisation that was just about to announce the biggest ever data breach,” says Mr Bocek.
And, after the event, the company failed to do everything for users that it could, choosing not to offer free credit report monitoring, for example.
All in all, the incident has been a textbook example of how not to handle a breach and has been catastrophic for Yahoo!’s reputation. Not only has its acquisition by Verizon been threatened, users are up in arms and there are several lawsuits pending.