By Georgia Wells and Ryan Knutson
Yahoo Inc.'s move to force some users to reset their passwords
following a newly disclosed security breach could disrupt the
planned sale of its core assets to Verizon Communications Inc.,
security experts say.
Yahoo didn't force users to reset their passwords after its
September disclosure of another breach. Experts say forcing users
to reset their passwords typically causes some to drop a
That is one reason why the newly disclosed hack -- which Yahoo
says occurred in 2013 and affected more than one billion accounts
-- could prove more disruptive to Verizon's pending $4.83 billion
acquisition of Yahoo's core assets.
Verizon's decision to walk away or push for a reduced price
rests on the damage to Yahoo, which will be defined by a drop in
users or engagement with its websites and services, according to a
person familiar with the matter.
Verizon had been aiming to close the deal in the middle of the
first quarter. If the deal goes through, closing will likely slip
to the latter half of the first quarter, the person said.
In September, Yahoo disclosed that hackers it believes were
state-sponsored had stolen information in late 2014 on more than
500 million accounts. Yahoo said Wednesday it doesn't believe the
two incidents are related.
Following the September disclosure, Yahoo executives suggested
to investors that the breach wasn't material, in part because it
hadn't required users to reset their passwords. When it reported
third-quarter financial results in October, Yahoo said users and
engagement had stayed steady.
Yahoo is forcing users to reset their passwords now because some
of the material taken in the 2013 breach wasn't encrypted, and
other parts were protected by what is now considered an outdated
encryption scheme, according to a person familiar with that
Verizon had been close to reaching a settlement with Yahoo that
involved sharing future liabilities arising from the 2014 hack,
such as potential lawsuits. But the disclosure of the larger 2013
breach effectively restarts the clock as Verizon seeks to determine
how badly Yahoo's brand has been damaged.
Security experts said the newly revealed 2013 hack was
particularly troubling for users, because the unidentified hackers
took not only usernames, passwords and other personal details for
more than one billion accounts, but also those users' security
questions and answers.
The information frequently used for security questions -- such
as the maiden name of the user's mother, the user's high school or
place of birth -- doesn't change, and might be used by hackers to
gain access to accounts on other services. The number of people
affected isn't clear, because some may have more than one account
and some accounts may be dormant.
"It doesn't matter if you haven't used your Yahoo account for 10
years, your mother's maiden name or where you met your spouse is
likely to stay the same," says Tatu Ylönen, chief executive of
computer security firm SSH Communications Security Inc. "Or even if
your spouse changes, your mother's maiden name still stays the
Given the number of accounts involved, experts said the theft of
the security questions and answers, some of which weren't
encrypted, poses new risks.
"The danger now isn't just with people's Yahoo accounts," says
Michael Geist, law professor at the University of Ottawa who
specializes in internet law. "That's where you start getting
Yahoo could have taken more measures to protect the
security-question data, security experts say. Andrew Komarov, chief
intelligence officer with InfoArmor Inc., an information-security
firm which has portions of the Yahoo database, said Yahoo appears
not to have encrypted the security questions or answers.
Ideally, "the meta-data associated with the user account should
be encrypted," Mr. Komarov says.
Beginning Wednesday, Yahoo emailed users to inform them about a
data security issue that "may" involve their account information.
Although breach notification laws vary by state, the email likely
satisfied all state requirements, according to Paul Stephens,
director of policy and advocacy for Privacy Rights Clearinghouse, a
consumer education and advocacy nonprofit focused on privacy.
In the email to users, Yahoo recommends users change their
passwords and security questions and answers for any other accounts
on which they used the same or similar information used for their
Yahoo accounts. The email also said some users will be required to
change their passwords.
--Deepa Seetharaman contributed to this article.
Write to Georgia Wells at Georgia.Wells@wsj.com and Ryan Knutson
(END) Dow Jones Newswires
December 16, 2016 02:47 ET (07:47 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.