Data breaches can affect any business. It’s an unfortunate fact, but in today’s digital world, there are so many technologically savvy criminals who seek to make money and wreak havoc upon millions. Cyberattacks can affect anyone, from the smallest neighborhood shop to the largest multinational corporations. However, while small businesses are affected constantly, the data breaches that affect large corporations are the ones that receive the most news coverage. And while the number of cyberattacks has risen in recent years, no incident comes close to the number of victims as the back-to-back data breaches Yahoo faced in 2013 and 2014.
In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches.
The History of Yahoo
From the late 1990s until the late 2000s, Yahoo was among the giants of Silicon Valley. Although the company never dabbled in hardware, it focused on one utility: Web services. And in the early years of the Internet, no one did web services better than Yahoo. Following in the footsteps of AOL, Yahoo’s first business model was organizing new web pages into categories in the early 1990s. When this proved successful, Yahoo quickly expanded into other web services, including email, instant messaging, news, and games [1]. With these services, Yahoo truly hit the mainstream. Throughout the 2000s, Yahoo remained popular, but began to lag behind tech newcomers like Google, Facebook, and their suites of web services. Following years of underperformance, Yahoo was struggling in the early 2010s. Unfortunately, Yahoo’s problems were only just beginning.
The Breach(es)
In August 2013, an unknown third party gained access to Yahoo data, making away with names, birth dates, phone numbers, and poorly encrypted passwords [2]. For three years following the breach, Yahoo was unaware of this unauthorized digital theft. However, in August 2016, Yahoo accounts were seen for sale on the dark web. Later, three separate buyers bought this stolen data for USD $300,000. To this day, Yahoo and federal investigators do not know the culprit of the 2013 hack [2].
In addition to the 2013 breach, Yahoo faced another cybersecurity crisis just a year later. In December 2014, Yahoo fell victim to another data breach, losing usernames, phone numbers, passwords, and security question answers to at least 500 million Yahoo accounts [3]. It was later revealed that the hack was the responsibility of four men hired by Russia, who sought the personal information of American intelligence officers [3].
In contrast to the 2013 breach, however, Yahoo executives were made aware of the hack soon after it occurred. Even when Yahoo was set to be acquired by Verizon in 2016, the company stated that it was aware of only four minor breaches [4]. Even in June 2016, Yahoo’s security team was aware that hundreds of millions of accounts were compromised, yet the company failed to inform Verizon or the public until September 2016.
The Fallout
Finally, in September 2016, Yahoo announced to Verizon and the public its knowledge of the 2014 breach. At the time, Yahoo estimated that 500 million accounts were compromised in the attack. In December 2016, Yahoo became aware of the 2013 attack and announced that an estimated one billion accounts were affected by the incident. While an estimated 1.5 billion compromised accounts is a nightmare for any business, the hacks and fallout occurred during a time of turmoil and transition for Yahoo. In fact, after the announcement of the 2014 hack, Yahoo lowered its purchase price to Verizon by $350 million [4]. Unfortunately, the news soon got worse for Yahoo. The company’s initial estimate of affected accounts was far from the true scale of the breaches.
In October 2017, Yahoo announced that all of its accounts were compromised in the two hacks. Over 3 billion accounts were ultimately affected by the breaches. Following the public reveal of the 2013 hack, Yahoo forced all of its users to change their passwords [5]. While this was a smart, necessary step, much of the damage had already been done. Usernames, phone numbers and birthdates were, unfortunately, already vulnerable.
Following the revelations of the breaches, Yahoo faced serious scrutiny from consumers and investigators alike. Following investigations, Yahoo was fined USD $35 million by the Securities and Exchange Commission (SEC) not for the breaches themselves, but for failing to disclose its knowledge of the 2014 breach until two years later [4]. In fact, this was the first time the SEC ever fined a public company for failure to disclose knowledge of data breaches. Additionally, Yahoo settled a class-action lawsuit for USD $80 million. Ultimately, Yahoo was punished for the cover-up, rather than the actual breaches. Unfortunately, the steep punishment simply did not outweigh the damage done to Yahoo and its customers.
Protecting Your Data
Although October is designated as Cybersecurity Awareness Month, true protection from data breaches and cyberattacks requires a year-long commitment. That’s where AXEL Go comes in. AXEL Go is a secure file-sharing and storage software that prioritizes data protection. Offering military-grade encryption and decentralized blockchain technology, AXEL Go is the best way to protect yourself or your business from cybercriminals. Put simply, your vital information deserves the best protection. If you’re ready to try the best protection, get two free weeks of AXEL Go here.
[1] Greenberg, Julia. “Once Upon a Time, Yahoo Was the Most Important Internet Company. Now It’s Struggling.” Wired. November 23, 2015. https://www.wired.com/2015/11/once-upon-a-time-yahoo-was-the-most-important-internet-company/.
[2] Perlroth, Nicole. “All 3 Billion Yahoo Accounts Were Affected by 2013 Attack.” The New York Times. October 03, 2017. https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html.
[3] Goel, Vindu, and Eric Lichtblau. “Russian Agents Were Behind Yahoo Hack, U.S. Says.” The New York Times. March 15, 2017. https://www.nytimes.com/2017/03/15/technology/yahoo-hack-indictment.html?_r=0.
[4] “The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far).” The National Law Review. May 11, 2018. https://www.natlawreview.com/article/hacked-hacker-hire-lessons-yahoo-data-breaches-so-far.
[5] Goel, Vindu, and Nicole Perlroth. “Yahoo Says 1 Billion User Accounts Were Hacked.” The New York Times. December 14, 2016. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html.