New Yahoo Breach Disclosures May Help Address Pressure from Hill, Verizon
Yahoo warned an undisclosed number of its users Wednesday that their accounts may have been compromised in 2015 and 2016 by the same “state-sponsored actor” responsible for the 2013 and 2014 data breaches. The 2013 and 2014 breaches may have compromised up to 1.5 billion user accounts (see 1612140076 and 1609220046). Yahoo disclosed the information Wednesday amid ongoing pressure from Congress and Verizon’s evaluation of how to proceed with the carrier's planned $4.83 billion acquisition of the company (see 1701240048). Some cybersecurity lobbyists told us they believe the disclosure was aimed at easing the pressure from Congress and Verizon.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Yahoo Chief Information Security Officer Bob Lord told affected users in an email that the company’s investigation into the 2013 and 2014 breaches indicates “a forged cookie may have been used in 2015 or 2016 to access your account. We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed” in September. Yahoo revealed in December that the hacker had forged cookies using the company’s proprietary code. Yahoo has as before “invalidated the forged cookies and hardened our systems to secure them against similar attacks,” Lord said. “We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.”
The company is “in the process of notifying all potentially affected account holders,” a spokeswoman said. An industry executive said it appears likely that Yahoo’s investigation into the breaches is in its “final stages” and the company appears to have notified only users who were on a “reasonably final list” of those affected by the breaches. The notifications came hours after news reports that Verizon and Yahoo were nearing a deal to revise down Verizon’s purchase price for Yahoo by $250 million-$300 million from the original $4.83 billion figure. The revised deal also reportedly would see Verizon and its eventual Yahoo subsidiary -- to be renamed Altaba -- share legal responsibilities related to the data breaches. Yahoo was facing at least two dozen lawsuits over the breaches (see 1612230029). Verizon and Yahoo didn’t comment.
The new disclosures may have been prompted as much by Yahoo's need to reduce the pressure from Congress as it was by the company's commitment to investigate the breaches, said a tech sector lobbyist. Senate Commerce Committee Chairman John Thune, R-S.D., and Senate Commerce Consumer Protection Subcommittee Chairman Jerry Moran, R-Kan., sought answers last week from Yahoo CEO Marissa Mayer about the breaches, saying in a letter they questioned the company’s “willingness to deal with Congress with complete candor about these recent events” (see 1702100059).
Yahoo’s new disclosures may prompt additional questions from Capitol Hill and others about why the company and others in the tech sector have “seemed to turn such a blind eye to this for years,” said Shane Tews, visiting fellow at the American Enterprise Institute’s Center for Internet, Communications and Technology Policy. “We’re getting to a point where people are not going to allow these companies to just get away with losing the security of this data without some repercussions.” The Senate “seems to be heading in that direction” and Yahoo may be trying to “head off something coming up that’s not going to be good” for the company, Tews said.