Anatomy of a Breach

Anatomy of a Breach: Yahoo — 500 Million Accounts and the Breach That Nearly Killed a $4.8 Billion Acquisition

> series: anatomy_of_a_breach —— part: 093 —— target: yahoo —— accounts: 500,000,000 —— delay: 2_years —— acquisition_impact: -$350M<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2016 13 min read
data-breach yahoo 500-million state-sponsored acquisition verizon delayed-disclosure series
Breach #093

500 million accounts. Disclosed two years late. $350 million wiped off an acquisition.

On 22 September 2016, Yahoo disclosed that data associated with at least 500 million user accounts had been stolen in a cyber attack that it attributed to a 'state-sponsored actor.' The breach had occurred in late 2014 — meaning Yahoo had either not detected it for two years or had detected it and delayed disclosure. The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords (using bcrypt for some, MD5 for others), and in some cases, encrypted or unencrypted security questions and answers.

The timing was catastrophic for Yahoo's business: the disclosure came while Verizon was negotiating a $4.83 billion acquisition of Yahoo's core internet assets. The breach disclosure — and the even larger one that would follow in December — ultimately resulted in Verizon reducing its offer by $350 million. The Yahoo breaches became the defining case study for cyber due diligence in mergers and acquisitions, proving that undisclosed breaches can have a direct, quantifiable impact on corporate valuation.

The Failures
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Two years of silence. Mixed password hashing. Unencrypted security questions.

Two-Year Disclosure Delay
The breach occurred in 2014 and was disclosed in 2016 — a two-year gap that left 500 million users at risk without their knowledge. Under GDPR (which would come into force in 2018), organisations must disclose breaches within 72 hours. The Yahoo delay demonstrated why mandatory disclosure timelines are essential. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects breaches in real-time, enabling prompt disclosure.
Mixed Password Hashing — bcrypt and MD5
Yahoo used bcrypt for some passwords but MD5 for others — meaning a significant portion of credentials were trivially crackable. This inconsistent approach — some accounts well-protected, others exposed — is the kind of legacy technical debt our <a href="/penetration-testing/web-application">application testing</a> identifies.
Unencrypted Security Questions
Some security questions and answers were stored unencrypted — providing attackers with the answers to recovery questions that users may have used across multiple services. Security questions are an inherently weak authentication factor, and storing them unencrypted compounds the weakness.
M&A Impact: -$350 Million
The breach disclosure directly reduced the acquisition price by $350 million — 7.25% of the deal value. For any organisation contemplating M&A, the Yahoo case established that cyber security posture is a material component of corporate valuation. Our <a href="/penetration-testing">penetration testing</a> is regularly commissioned as part of M&A due diligence.
Lessons

Breaches destroy deals. Cyber due diligence is not optional.

The Yahoo breach established three principles that apply to every organisation: first, delayed disclosure causes more damage than prompt disclosure (the two-year gap amplified the impact on the Verizon deal). Second, breaches have quantifiable financial consequences that extend beyond remediation costs to corporate valuation. Third, M&A due diligence must include comprehensive cyber security assessment — our penetration testing is regularly commissioned for this purpose.

Cyber Essentials certification demonstrates security investment to potential acquirers and partners. SOC in a Box enables prompt breach detection and disclosure. Our infrastructure and application testing identifies the vulnerabilities that acquirers will discover during due diligence. And UK Cyber Defence provides the incident response capability that limits breach impact on business operations and corporate value.

M&A Cyber Due Diligence

Yahoo's breach cost $350 million off the acquisition price. What would a breach cost your business?

Our <a href="/penetration-testing">penetration testing</a> is commissioned for M&A due diligence. <a href="/cyber-essentials">Cyber Essentials</a> demonstrates security posture. <a href="https://www.socinabox.co.uk">SOC in a Box</a> enables prompt detection.

Commission a Security Assessment Next: Dyn DNS / Mirai Botnet
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
Anatomy of a Breach 30 November 2018

Anatomy of a Breach: Marriott — 500 Million Guest Records and a Breach That Started Four Years Before Discovery

Breach #119. On 30 November 2018, Marriott International disclosed that the Starwood guest reservation database — which it had acquired when it purchased Starwood Hotels in September 2016 — had been compromised since 2014, affecting approximately 500 million guest records including names, addresses, phone numbers, email addresses, passport numbers, dates of birth, and in some cases encrypted payment card details. The breach had been active for four years before detection — and for two of those years, the compromised system belonged to Marriott. The ICO proposed a £99 million GDPR fine. The definitive M&A cyber due diligence case study.

data-breach marriott
14 min read
Anatomy of a Breach 31 December 2016

Anatomy of a Breach: 2016 Year in Review — The Year of Billions, Botnets, and Election Interference

Breach #096 and the 2016 finale. The year Yahoo disclosed not one but two mega-breaches (500 million in September, then 1 BILLION in December — later revised to all 3 billion accounts), Adult Friend Finder lost 412 million accounts, the Mirai botnet used IoT devices to take down half the internet, Russia hacked the DNC to influence a presidential election, the Shadow Brokers stole the NSA's cyber weapons, the Bangladesh Bank lost $81 million through SWIFT, and a hospital paid Bitcoin ransom to get its systems back. The year the scale of cyber threats broke through every previous ceiling.

data-breach year-in-review
14 min read
All Posts Get in Touch