Euro Security Watch with Mathew J. Schwartz

Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Yahoo Breach Conspiracy Theories: Don't Believe the Hype

Evaluating State-Sponsor Attack and Email Outage Claims
Yahoo Breach Conspiracy Theories: Don't Believe the Hype
Photo: Yahoo

Two conspiracy theories have emerged regarding Yahoo's recent mega breach. One, promulgated by the search giant itself, is that it was hacked by a "state-sponsored actor." Another is that after Yahoo discovered the record-setting, late-2014 data breach this past August, and publicly revealed it in September, it quietly pulled the plug on email forwarding to prevent irate customers from virtually defecting to another service.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

Neither scenario appears to be true. But Yahoo nevertheless faces some very real challenges ahead.

Data breaches rarely spell long-term disaster for organizations, barring the occasional collapse of a security firm, or a bitcoin exchange facing insolvency after its cryptocurrency goes missing.

Yahoo, however, had the misfortune to discover the full extent of its 2014 breach while in the midst of its sale to Verizon Communications, which has been expected to close in the first quarter of 2017.

The search giant said more than 500 million user accounts were compromised, and was quick to blame a nation-state for the attack, once it was belatedly found. "A copy of certain user account information was stolen from our systems in late 2014 by what we believe is a state-sponsored actor," Yahoo said last month. "Our investigation into this matter is ongoing and the issues are complex."

Some cybersecurity watchers have said that by blaming a nation-state - the equivalent of a force majeure that couldn't be blocked - Yahoo might trigger some clause in its cyber insurance, leading to full coverage. Another theory is that by blaming a well-resourced foreign intelligence agency for the hack, Yahoo could at least absolve itself of responsibility in the court of public opinion.

All of that is just guesswork, and Yahoo's move also seems futile, since the nation-state claim was quickly torpedoed by security firm InfoArmor, which claims that it traced the breach to a group of "professional blackhats." InfoArmor also claims that the number of stolen Yahoo accounts "could be more than 1 billion." In other words, the breach doesn't appear to have been a nation-state plot, but rather the work of a cybercrime gang looking to monetize stolen data, most likely in bitcoins.

Yahoo hasn't responded to my requests for comment on that report.

Email Forwarding Fracas

Yahoo recently caught further flak for disabling email forwarding, which would have allowed users to keep their Yahoo email accounts active indefinitely without having to log into the company's website or use its mobile apps. Some critics alleged the move was Yahoo's attempt to avoid mass customer defections after news of its mega-breach became public.

But Michael Albers, Yahoo's head of product management, said on Oct. 14 that Yahoo had temporarily disabled email forwarding as part of a platform upgrade that it claims will bring performance improvements.

"As of today, auto-forward is enabled again for all mail users," he said. "We apologize for the interruption." Albers added that there are also better ways to check Yahoo email via other mail readers or web services than email forwarding. "While mail forwarding is one way to access all your emails from any provider in one place, we recommend connecting your Yahoo inbox to your preferred email client or provider directly," he said.

Of course, users can also "use Yahoo Mail to keep track of all [their] inboxes," he added.

In the wake of Yahoo's record-breaking, historic mega-breach, however, it remains to be seen how many Yahoo users might now take the company up on that offer.

Guilty Until Proven Innocent?

While the two aforementioned Yahoo conspiracy theories apparently have been disproved, post-breach, reality may still bite.

Verizon, which recently reported declines in revenue and subscriber growth, says it's reviewing whether it will need to renegotiate the terms of its $4.8 billion July bid for Yahoo. "This was an extremely large breach that has received a lot of attention from a lot of different people," Verizon's chief financial officer, Francis Shammo, told analysts during the company's Oct. 20 earnings call. "We have to assume [it] will have a material impact on Yahoo."

On Oct. 19, Verizon's attorneys had their first call with Yahoo to discuss the breach investigation to date, "but as I understand that's going to be a long process," Shammo said, and it will take some time for the full impact to be understood. "So until then we haven't reached any final conclusions around this issue," he said.

Verizon officials have also said that it's up to Yahoo to prove that the breach hasn't had a material impact on the company's value.

Yahoo, predictably, claims that the breach hasn't negatively impacted its business. "We are confident in Yahoo's value and we continue to work toward integration with Verizon," it says in a statement.

So far, however, Yahoo's assessment is only a theory. And at least in the short term, it may be tough to prove.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.