Yahoo on Thursday reported the largest data breach in history — affecting at least 500 million user accounts — months after first detecting signs of an intrusion that the company blamed on "state-sponsored" hackers.
The Web giant called on customers to change their passwords and institute other protective measures, but the largest fallout could be for Yahoo itself. The long-faltering company this summer agreed to sell its core business for $4.8 billion to telecommunications giant Verizon in a deal now clouded by news of the massive breach. Verizon said it learned of the incident only "within the last two days."
The timeline highlighted a dilemma created by hacks: Companies often take months or even years to report suspicions of breaches — if they report them publicly at all — holding the information back from customers, business partners and even potential new owners of a company.
"The dark cloud this casts will be very long and will likely impact the merger agreement," Jeff Kagan, a Georgia-based telecommunications industry analyst, said in an email. "We'll just have to wait and see what happens next."
Yahoo learned of the incident in July, the same month it announced its deal with Verizon, a person familiar with the matter said, speaking on condition of anonymity to freely discuss the issue.
When asked, Yahoo declined to say whether it first learned of the hack before or after that deal was announced.
Yahoo ultimately revealed the breach after Recode, a news site focusing on Silicon Valley, reported Thursday morning that the ailing tech giant would confirm a data breach affecting hundreds of millions of accounts.
The total number of affected accounts, by reaching 500 million, gave it the dubious distinction of being the largest breach on record, said Paul Stephens of the Privacy Rights Clearinghouse.
Stephens said that consumers must also take steps to take care of matters themselves, outside of their Yahoo accounts. "It's really important that individuals think long and hard about passwords as well as security questions and answers they used on Yahoo that they might have used somewhere else," Stephens said. "It's very important to remember that if that information is available to hackers, they are going to try and use it on other sites as well."
Yahoo reported that the intrusion apparently began in 2014. Company Chief Information Security Officer Bob Lord wrote in a blog post that names, email address, telephone numbers, dates of birth and answers to "security questions" may have been stolen but financial information such as credit card numbers apparently was not because that data was stored in a separate system.
"Yahoo is working closely with law enforcement on this matter," Lord wrote.
Sen. Mark R. Warner (D-Va.) chastised Yahoo for not reporting suspicions of a breach sooner and called on the federal government to impose stricter disclosure requirements for companies. Companies now face a messy patchwork of state disclosure laws but no federal standard for reporting about breaches, including when, how and who was affected.
"While its scale puts it among the largest on record, I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today," Warner said in a statement. "Action from Congress to create a uniform data breach notification standard so that consumers are notified in a much more timely manner is long overdue."
Although President Obama proposed a federal law in 2015 that would give companies 30 days to notify the public about a discovered hack, lawmakers have yet to approve a single national standard.
On Thursday, Sen. Richard Blumenthal (D-Conn.) called on investigators to determine whether Yahoo intentionally withheld information about the incident to "artificially bolster its valuation" by Verizon — a potentially serious act of deception.
The impact on Verizon's deal with Yahoo was not immediately clear. Major data breaches have become a routine event for corporate America and also for major government agencies and political groups. The Yahoo intrusion stands out for the sheer scale of the customers apparently affected, a legacy of the company's once-commanding position for Internet users who turned to the company for web searches, email accounts, user groups and news reports.
The Verizon deal was seen as a relatively soft landing for Yahoo, a company overtaken by competitors in nearly every one of its major businesses.
Verizon, in a company statement, said that it was monitoring news of the breach. "We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," the company's statement said. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."
The security breach is yet another bruise for the aging tech firm and chief executive Marissa Mayer, who joined Yahoo in 2012 to effect a turnaround and ended up having to sell the firm's core assets instead.
Microsoft's recent acquisition of LinkedIn, which came one month after the social network revealed it 167 million of its accounts had been breached, show a breach alone is not necessarily enough to derail a deal, said John Levallo, senior vice president at the public relations and strategic communications firm Levick.
But he said the tech giant will be hard-pressed to rehabilitate its overall reputation in light of this breach.
"Focus on the consumer and not the deal," Levallo said. "If I were in that boardroom at this moment in time, I would say we understand there's a huge deal on the table right now. But first address and resolve the issue for your consumers and the transaction will take care of itself."
Yahoo has had a poor security reputation in the past, one of the many things that Mayer has focused on since becoming chief executive.
Vice's Motherboard blog in August reported that Yahoo was investigating an alleged breach after the news organization found that a cybercriminal known as "Peace" claimed to be offering 200 million Yahoo user credentials for sale online. The data was advertised on the "dark web" — a part of the Internet accessible only through the use of special software such as the anonymous browsing tool Tor and often associated with illicit activities.
Staff writers Andrea Peterson and Ellen Nakashima contributed to this report.