In terms of “mega breaches”, it is unprecedented in terms of the number of records affected. The full scale and potential impact of the Yahoo hack, as reported in late September, continues to reverberate around the world. The company has said that “state-sponsored” hackers stole data on some 500 million users, included at least eight million in the UK, and including their name, email address, phone number, date of birth and encrypted password – but not credit card data. It looks to be the biggest publicly disclosed cyber-breach to date.
The hack raises some serious questions. How did it happen in the first place and on such a huge scale? Why did it take Yahoo so long to confirm the scale of the breach, which happened in 2014? (It’s also worth noting that other mega breaches recently reported, a 2016 trend, took place even earlier: LinkedIn and Drop Box in 2012, MySpace in 2010.) And if this was a “state-sponsored act”, by who and to what end? The FBI is said to be investigating. The company has recommended that all Yahoo users should change their passwords if they hadn’t since 2014. But the implications didn’t stop with Yahoo: in the UK, ISPs Sky and BT also warned that their customers may be affected by the hack, as Yahoo provides email services to them. Sky estimated it had 2.5 million email account holders at the time of the breach. BT was conducting its own investigation.
And the pressure on Yahoo continues to build: last week, US senators wrote to its chief executive Marissa Mayer demanding answers, requesting for a time line around the breach and asking why it went “undetected” for so long. BBC News also reported that Yahoo – which agreed to sell its core business in July to Verizon for $4.8bn (£3.7bn), with the US telecoms giant saying it was “unaware” of the massive hack until a couple of weeks ago – is also facing class actions lawsuits. This one looks like it will run and run – and again underlines the need for fresh thinking and ever stronger measures in cyber and cloud security.