Yahoo just broke its own record for biggest online security breach in history.
Back in September, the former internet colossus revealed that a 2014 hack compromised about 500 million accounts. This week, we found out another attack — which occurred in 2013 — broke into more than one billion. (That's "billion" with a "b.") Names, passwords, phone numbers, dates of birth, and more were stolen. Since plenty of users have multiple accounts and plenty of the accounts may not be active, we're not sure yet how many actual people were harmed.
But here's the really awkward part: After a long twilight, and a failed last-ditch attempt at revival, Yahoo inked an agreement to sell itself to Verizon for $4.8 billion in July. Neither Verizon nor anyone else found out about either hack until the deal had already been signed.
Now reports are bubbling that Verizon has an entire internal team dedicated to just reviewing Yahoo's security breaches and assessing the economic and legal fallout. It sounds like they're ready to sue if the price of the deal isn't reduced — or maybe demand to be released from the deal entirely.
"As we've said all along, we will evaluate the situation as Yahoo continues its investigation," said Verizon spokesman Bob Varettoni. "We will review the impact of this new development before reaching any final conclusions."
So which way will Verizon go?
The first thing to understand is Verizon's reason for pursuing Yahoo in the first place. Verizon's grand plan is to expand beyond its mobile and wireless services and get into online media and advertising in a big way. Despite its troubles, Yahoo still boasts an enormous user base, and Verizon needs that audience to serve its ambitions. Verizon will also get Yahoo's infrastructure in the deal: its email services, its websites, its advertising tools, and even its physical real estate.
Now, it doesn't look like the first hack did any real damage to Yahoo's traffic. And apparently no payment or bank information was compromised by that breach either. But users also don't like relying on services that routinely get hacked — and Yahoo seems to have real problems about taking security seriously.
Clashes erupted between Yahoo's security team and upper management over the costs and inconveniences of implementing the protections you see at Google or Facebook. Security was never brought up to snuff, even though a series of spam attacks and the hacking of about 450,000 accounts exposed vulnerabilities in 2012. Yahoo didn't even discover this latest, biggest hack until U.S. law enforcement provided them with data files stemming from its own investigations.
Back in October, after revelations of the first hack, Verizon said they thought the deal still made sense. But the embarrassments for Yahoo are mounting: By late Thursday afternoon, the company's stock had already fallen 6.5 percent. Yahoo faces a pile of investigations by federal and state governments and agencies, and even by some foreign countries, over the hacks. The FBI is investigating the breach. Yahoo was even smacked with 23 class-action lawsuits over the previous hack — and at least one lawsuit already over the new one.
If Verizon balks at all of this and decides to try to void the deal, it might have ample ammunition. Yahoo employees reportedly discovered the 2014 hack that same year — which raised some eyebrows about why Verizon didn't find out until late 2016, months after the deal was struck. "What Yahoo executives knew about the breach, and when they knew it, have been crucial questions in Verizon's ongoing acquisition of Yahoo," as TechCrunch understatedly put it.
But if Verizon decides Yahoo's prodigious traffic will survive the PR fallout and moves forward with the deal, it might also have the leverage to save a lot of money. Following the news of the first hack, Verizon said they felt there was "a reasonable basis" for seeing the hacks as a "material" impact on the contract — jargon meaning it could legally justify rewriting the contract. The company also reportedly shaved $1 billion off its valuation of Yahoo. The latest revelation "will surely impact that valuation even further, not just because of the scale of it, but because it shows a pattern of serious failures on Yahoo's behalf," cyber security expert Troy Hunt told the BBC. If 500 million accounts meant a $1 billion drop in value, will the latest hack mean a $2 billion drop? More?
Either way, though, it sounds like Verizon has a very strong hand to play — and Yahoo does not.