Oriana Schwindt | September 23, 2016

5 Huge Questions About the Yahoo Hack, Answered

Are you at risk of identity theft? What about Verizon's deal to buy Yahoo? And who the heck has your information?

Half a billion Yahoo accounts were unlawfully accessed by hackers in 2014, the company revealed just yesterday. That’s half of the company’s user base.

The internet largely reacted to the news with various versions of “Huh, guess I better check if I have a Yahoo account” or “Maybe the hackers will make my fantasy football lineup better.”

That data breach is the largest in history. But how does it effect you? Some important questions remain. Here are the biggest ones:

Will people’s identities be stolen as a result?

Probably not. “In all likelihood, it’s probably not to raid people’s bank accounts. It’s probably to use in an espionage context,” David Hall, partner at cybersecurity-focused law firm Wiggin and Dana LLP, told TheWrap.
Wait, what?

Yahoo believes the attack was by a state-sponsored hacker, meaning that the ultimate owner of the information is now a government — Hall suspects China. “This is very similar to other hacks they’ve done, and it’s hard to imagine someone analyzing all that data from his mother’s basement,” Hall said.

Hall believed that the information snatched from your Yahoo account is probably sitting in a foreign government’s database, being analyzed for tidbits that can prove useful to that particular government. If you don’t work for the government, have access to classified information or otherwise run a large business that could be of interest to a country (like China), you’re unlikely to see any ill effects.

If you are one of those people, beware of e-mails from senders unknown that contain links or ask for any kind of personal information.

What should I do?

Change your password, as Yahoo has advised.

While you’re at it, make sure the passwords you use for different online accounts are significantly different from each other, so it’s much harder for hackers to construct a profile of you.

“The Yahoo compromise will surely exacerbate the password re-use problem for lots of users,” Wombat Security CTO Trevor Hawthorn said in an e-mail to TheWrap. “The silver lining is that the breach happened in 2014 so the stolen passwords are a little stale by now.”

Since information about security questions and answers was also obtained by the Yahoo hacker, Hawthorn also advises to change the security questions and answers you use for other online accounts.

How did this even happen?

The most likely way the hacker gained access to all this information was by sneaking into the network and nosing around until they found a way to give themselves administrative privileges. That would have allowed the hacker to step around trip wires designed to alert security to the presence of a hacker.

“Whatever the method, it was very sophisticated,” Hall said.

Why didn’t Yahoo come forward about this sooner?

There’s general agreement that Yahoo didn’t actually know about the breach until just a month or so ago, when someone on the encrypteddark web network claimed to be selling the information of 200 million Yahoo accounts that was taken in 2012. Yahoo didn’t find evidence of a hack in 2012, but they did find evidence of a whopper of a breach in 2014.

“You don’t wake up every four hours and go around your house looking for a burglar,” Hall said. “You need to know you’re looking for something in order to find it.”

What is going to happen with the Verizon deal?

Verizon agreed to purchase Yahoo in July for the paltry sum of $4.8 billion, though the deal isn’t set to close until 2017. As one former Yahoo employee told TheWrap, “This is like waiting to tell your partner you have herpes.”

But consider first that Microsoft agreed to purchase LinkedIn for $26.2 billion after Linkedin disclosed a 2013 hack of 100 million of its accounts.

Verizon said in a statement that it only became aware of the hack two days ago and is still trying to sort through the information.

Isn’t this a huge liability for both companies?

The question of liability gets a little thorny. While it is possible for Yahoo users affected by the hack to bring a suit, Hall said that most suits of that type tend not to be successful because, in the end, no financial damage is done.

“If your personal information is taken, that’s obviously bad and an intrusion and makes everyone nervous,” said Hall. “But it doesn’t necessarily mean that it’s going to cost the consumer money.”

All the same, the cost to Yahoo will be enormous. “Even the cost of just notifying users can be exorbitant,” Hall said. “And then you’ve got the forensic costs, figuring out what was taken and how.”

Read the article on The Wrap