Just as Yahoo Inc. reportedly moved closer to sealing its sale to Verizon Communications Inc., new warnings about the extent of privacy breaches and hacks against its users raised fresh questions for the embattled Internet company.
Verizon is close to a revised takeover deal for Yahoo that would see the purchase price fall by as much as $350-million (U.S.) from the $4.83-billion it agreed to pay in July, 2016, Reuters reported on Wednesday. A source close to the deal was cited as saying the two companies have also agreed to share the liability of any costs associated with the hack of a billion user credentials starting as far back as 2013.
"The fact they are closing the deal at any price is really good. We thought Verizon would walk away," said Laura Martin, a senior analyst with investment-service company Needham & Company. "We believe Yahoo has indemnified Verizon for any losses attributable to the hack, which could be up to $4.5-billion. The hack could cost as much as the whole deal."
But just as markets gained renewed hope that Verizon's deal to purchase the Internet pioneer would go ahead – pushing Yahoo's stock up 1.5 per cent in intraday trading – news broke of another hack in 2015 or 2016.
The steady drip of bad security news started in September, 2016, when Yahoo reported that the passwords, birth dates and answers to security questions of as many as 500 million users had been stolen. That number ballooned to one billion users by December, along with U.S. Securities and Exchange Commission filings that showed Yahoo had known of the breaches in 2014. Not only had Yahoo not communicated that detail to customers or regulators, it seems not to have told Verizon during its sales talks.
On Wednesday afternoon, warnings from Yahoo began to circulate to users that outlined the latest hack. "Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password," the message read in part. "Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account."
In the hacks Yahoo disclosed in September, it implicated a "state-sponsored actor." And in a statement on today's news, the company confirmed it believed the cookie forgery was related to that attacker. "The company is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again," the statement read.
In January, reports surfaced that the SEC was opening an investigation into Yahoo's disclosures of the hacking incidents. On Feb. 10, a former SEC lawyer now in private practice filed a federal class-action lawsuit against Yahoo on behalf of its shareholders. On the same day, two U.S. senators sent a letter to Yahoo chief executive officer Marissa Mayer – an ultimatum, really, to answer by Feb. 23 the legislative body's questions about the company's measures to deal with the data breaches.
How much it will all end up costing Yahoo is still unknown. By comparison, in 2015 Target Corp. reported it spent $162-million (U.S.) on the fallout of a massive hack in 2013 in which 70 million customers had credit-card data stolen.
"Yahoo should have told them when they were doing the bidding process that they'd been hacked," said Ms. Martin, who described the negotiations that followed the revelations as a slap on the wrist, as Verizon had long ago made up its mind that Yahoo's customers were worth the scandal. "That's what not being completely open and honest in the auction process costs you: $250-million."
"I expected quite a bit more than that – Verizon is buying damaged goods with Yahoo," said Jeff Kagan, an independent analyst.