Yahoo has admitted its $4.8 billion sale to Verizon might not go through, as it emerged that the firm knew a state-sponsored attacker had accessed its network as far back as 2014.
The internet pioneer claimed in an SEC filing yesterday that “there is no assurance that the sale transaction will be consummated in a timely manner or at all.”
That’s mainly due to revelations of a massive data breach which exposed the account details of 500 million users, including names, email addresses, bcrypt encrypted passwords and security Q&As.
In the filing, it admitted for the first time that staff may have known for two years that an attack had taken place before the company finally revealed the news in September this year.
It had the following:
“Following this investigation, the company intensified an ongoing broader review of the company’s network and data security, including a review of prior access to the company’s network by a state-sponsored actor that the company had identified in late 2014.”
The investigation is still ongoing and may yet uncover more poor security practice which could jeopardize the sale.
It continued:
“For example, our forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”
Yahoo said it is facing at least 23 consumer class action lawsuits and could yet incur punitive fines and additional costs.
ViaSat UK manager, Neil Fraser, said the filing laid bare the true costs of a data breach.
“The real risk doesn’t necessarily come from loss of intellectual property, or damage to business operations, but rather the ongoing harm to the organisation’s reputation. The cost might not be immediately apparent, but over time – or if the business is in a sensitive period – it could easily reach billions of dollars,” he claimed.
“The stakes are so high that organizations need to treat a cyber-attack not only as a threat, but as an inevitability; as whether an attacker is a state, or state sponsored, a criminal enterprise, or a single individual looking to boost their reputation, they can cause irreparable damage. In this case, an attacker who was looking to sell the stolen data for $1,800 could easily have cost Yahoo a million times that amount.”