Could a massive hack of Yahoo bring down the company?

Yahoo recommends that users change their passwords – almost two years after 500 million users had them compromised.

Denis Balibouse/Reuters
A Yahoo logo is pictured in front of a building in Rolle, east of Geneva, December 12, 2012. The company has announced that 500 million Yahoo user had their accounts hacked in 2014.

Yahoo confirmed on Thursday that hackers stole personal information from at least 500 million accounts, in possibly the biggest such breach of an email provider in history.

"A copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor," said the company in a message to its users. The stolen data included names, addresses, telephone numbers, dates of birth, passwords and some users' security questions, it added, though information about users’ credit cards or bank accounts did not appear to be part of the leaked data.

Yahoo went on to recommend that all users change their passwords if they have not done so since late 2014, when the hacks occurred.

The breach was discovered after reports in August of another attack on the company’s servers by a notorious hacker known by the handle Peace, who was attempting to sell information corresponding to 200 million Yahoo users on the dark web, a hidden area of the web frequented by criminals. And the nearly two-year lapse in time between the hack and the company’s announcement – and public recommendation about how users should respond – puts in doubt Yahoo’s ability to protect users’ security. Some experts suggest that on the heels of its sale to Verizon in July for $4.8 billion, it could even bring down the company.

"Yahoo may very well be facing an existential crisis," Corey Williams, senior director of products and marketing at computer security firm Centrify, told U.S. News and World Report.

Yahoo's confirmation of the data breach comes amid heightened concern about US cybersecurity. American officials and cybersecurity experts suspect Russian hackers are behind an ongoing effort to influence the US presidential election. 

The company has blamed state-sponsored hackers for the breach but so far, the Yahoo hack has not been definitively connected to suspected Russian meddling in US politics. 

But hackers forcing Yahoo to shutter, or otherwise precipitating its decline, would carve out a new precedent in what US officials and cybersecurity experts suspect is a campaign by Russia to undermine US political institutions. It also appears to highlight a new frontier in state-authored cyberattacks that has yet to be crossed.

Some of those earlier attacks, possibly Russian attacks may have exposed information belonging to private citizens. A breach of two states’ voter registration databases, officials say, may have allowed hackers to access data from as many as 200,000 voters. But that attack, like the one carried out against Yahoo, did not leak private financial information – although user data that was apparently being sold on the dark web could well be put to use by cyberthieves.

Three US intelligence officials speaking on condition of anonymity told Reuters that the attack resembled the breaches thought to be carried out by Russian state-sponsored hackers, given its similarity to earlier breaches thought to stem from Russian intelligence agencies. Those breaches of electoral infrastructure have sent US officials scrambling not just to shore up vulnerabilities, but to define their approach to cybersecurity.

And as The Christian Science Monitor reported in July after President Obama released a policy directive outlining how his administration would respond to major cyberattacks, many experts say that the government’s approach may not be as robustly modeled as they would hope.

To help determine whether a breach is significant, the administration released a color-coded system to rank their severity by measuring the potential consequences and the attackers’ suspected intent.

But prominent security experts are panning the directive – particularly the color-coded model similar to the Department of Homeland Security’s abandoned terror alerts – which they say does not properly take into account the complex nature of cyberthreats the country currently faces.

...

"The problem with these types of documents is that they have a certain type of attack envisioned, the classic, 'Here’s a cyberattack that destroys data or causes physical destruction' and there’s a huge scramble of a response," says Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.

"But as the DNC hack shows, or the hack on Sony Pictures shows, there's a lot of hacks that, over time, seem to affect a national or foreign policy interest – and we’re going to have to be more flexible and creative about the way these agencies are going to be involved," Mr. Segal says. "I suspect that the future attacks we face will often not fit into plans." 

Verizon, which purchased Yahoo in July, told the BBC it had "limited information" on the hack, of which it had only learned "within the last two days".

"Until then, we are not in position to further comment,” it said.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.