Yahoo! Inc. is preparing to disclose a “massive” data breach of its main service, Recode reported, just as Verizon Communications Inc. prepares to take over the ailing internet company’s core assets.
The break-in was “widespread and serious” and is expected to be disclosed this week, the tech news website said, citing several anonymous sources close to the situation as saying. Yahoo didn’t respond to phone and e-mailed requests for comment outside of normal business hours.
Such a revelation would confirm earlier reports that the same hacker who’d stolen data from LinkedIn was now selling information from 200 million Yahoo accounts on a dark web marketplace. The data up for sale included user names, scrambled passwords and birth dates and likely dated from 2012, Motherboard reported in August, citing the cyber-attacker, who went by the name Peace. Yahoo said at the time it was investigating the claim.
It’s worth noting, however, that many of the stolen accounts in a sample of data obtained by Motherboard were no longer in use and had been canceled. The sale of all of the data for just under $2,000 also suggested that the information itself was of little value, either because most of it was obsolete, made-up, or useless because the hackers had already attacked legitimate accounts and exhausted their need for the data.
Whatever the scale of the alleged breach, the incident shows the danger of large datasets spilling into the hacker underground and being used for criminal purposes for years without the breached companies knowing or taking minimal action based on whatever data hackers tell them was taken.
LinkedIn said in May that it was investigating whether a breach of more than 6 million users’ passwords in 2012 was bigger than originally thought, following a hacker’s attempt to sell what was purported to be login codes for 117 million accounts. The company said that it appeared more data was taken in the initial compromise and that the company was just learning about the larger amount through the hacker’s posting.
Like many Internet companies that have been breached, LinkedIn only reset passwords of everyone it believed was part of the breach at the earlier time, which amounted to 6.5 million users. It’s unclear what steps, if any, Yahoo has taken since learning about the alleged compromise.
Reports of the security breach come just as Chief Executive Officer Marissa Mayer is about to close a deal that ends the once-dominant internet firm’s independence. Verizon is acquiring its internet assets for $4.8 billion, bringing the web portal together with longtime rival AOL. The telecommunications company will pick up services that still draw 1 billion monthly users, including mail, news and sports content and financial tools.