Verizon is to pay a discounted price for its acquisition of tech giant Yahoo after the disclosure of two massive breaches last year. The two companies are reportedly closing a deal which would cut the sale price of yahoo by around US$300 million (£240 million) according to a variety of outlets.
The discount appears to come as fallout from the disclosure of two major breaches of Yahoo, believed to be some of the biggest ever recorded, combined by the failure of executives in the company to disclose one of the breaches to customers for over a year. The two companies are also said to be discussing shared liability as a result of those breaches
The deal represents a significant reduction on the original US$4.8 billion (£3.84 billion) price was set in late July 2016 prior to Yahoo publicly disclosing two massive breaches.
Yahoo first disclosed a breach in September 2016, telling the public that the data of 500 million users had been accessed in 2014 by what it believed to be a Russian state sponsored attacker. A former employee later told Reuters that some user data had been intentionally left unencrypted.
In December, Yahoo reported an even bigger breach. The company announced in a blogpost that in 2013, an attacker had accessed the accounts of one billion users, stealing their names, emails, phone numbers, dates of birth and MD5 encrypted passwords. The attacker was believed to be the same as the one who conducted the first breach.
To make matters worse, it was later revealed that Yahoo Executives knew about the first breach but did not tell users, Verizon or investors until 2016.
Verizon's CEO, Lowell Mcadam, was quoted in the Wall Street Journal saying that, given these new details, the forthcoming deal could be renegotiated.
Commentators disagreed over what effect the disclosures might have on the upcoming sale of the search engine. While some said the deal might unravel, others said that commingling Yahoo's one-billion plus users with Verizon's wireless customers was simply too enticing to end the deal.
Both parties have remained tight-lipped and it is not quite clear what effect the breaches had on the sale price of Yahoo! as but hundreds of millions of Yahoo user credentials have already been found for sale on the dark web and some users have announced their intentions to sue the company for failing to safeguard their data.
The US Securities and Exchange commission is also said to be investigating the company for its failure to report the breach earlier and EU privacy regulators have questioned CEO Marissa Mayer. Yahoo eventually delayed the acquisition in January, postponing its estimate for finalising the deal from the original date of March 31st to the second quarter of 2017.
Commentators seem sure of what's behind the discount. It doesn't surprise Nick Pointon, head of mergers and acquisitions at SQS, who told SC, “Yahoo is now left feeling further ramifications of neglecting its IT systems in anticipation of the acquisition. This is a prime example of the knock-on effect of poor technical due diligence prior to a merger or acquisition and is a stark reminder that issues unearthed during the closing stages of an acquisition have the potential to affect the final sale price. Had Yahoo addressed its IT systems and its security properly, in good time, the sale price would have been much higher.”
This is a wake up call to boardrooms, said Paul McEvatt, senior cyber threat intelligence manager at Fujitsu, “If cyber-security wasn't already a priority agenda item across boardrooms, then the news today that Verizon has successfully negotiated a US$300 million discount on the acquisition of Yahoo due to its significant cyber-security breaches will resonate with key stakeholders in many organisations.”
Users are reportedly still feeling the consequences of those mega breaches. The company has yet again notified users of further private data breaches, linked to last year's massive disclosures.
In an email sent from Yahoo CISO Bob Lord, users are told that their accounts may have been compromised using a forged cookie, which allowed hackers to gain access to accounts without using passwords. The email reads, “We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on 22 September., 2016.”
Andy Norton, risk officer, EMEA at SentinelOne noted that investigators suspect, “that the attacker had access to proprietary code to learn how to forge cookies. This would show new behaviours other than just stealing user databases, the attackers have also looked at alternative methods to infiltrate Yahoo users accounts.”
“Yahoo – and other email providers – would be a target if they are providing services to regime dissidents or investigative journalists – essentially any user who poses a perceived threat to a current regime. There have been links in the Yahoo attack, made to the Bellingcat attack, which is investigating the MH17 disaster. This does not mean “Russia” or “China”, but it does indicate motivation.
A Yahoo spokesperson told SC that, outside forensic experts have been investigating "the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used.” Yahoo is currently in the process of notifying all potentially affected account holders has invalidated the forged cookies so they cannot be used.Users should resist the law of diminishing returns, Chris Boyd, malware intelligence analyst at Malwarebytes told SC, "It's fair to say that many Yahoo! users must already be feeling 'incident fatigue', given the frequency these stories seem to crop up. The sense of confusion - 'Haven't I heard about this one and taken steps already?' - can lead to people becoming complacent with regards updating login, or worse, simply not bothering to shore up defences. In this case, that feeling may be amplified given the end-users weren't at fault, but it's essential all Yahoo users roll up their sleeves and continue to use secure passwords and enable two-step verification."