500 million accounts hack

Synopsis

In September 2016, the once dominant internet service company, while in negotiations with Verizon to purchase it, announced it had been the victim of the biggest data breach in history, likely by a state-sponsored actor in 2014. The attack compromised the real names, email addresses, dates of birth and telephone numbers of 500 million users.

In 2017, the Department of Justice indicted four suspects for the attack and subsequently revealed that in order to breach the accounts they were targeting, the hackers first needed to hack just one single Yahoo employee via a spearphishing campaign. The targeted attack allowed the four, and possibly other unnamed parties, to gain direct access to the company's internal networks.

This breach (and the company's other breach) reduced the company's sale price by an estimated USD $350 million. The sales agreement called for the two companies to share regulatory and legal liabilities from the breaches. After the sale, the company changed its name to Altaba, Inc.

In March 2018 it was reported that the company agreed to pay $80 million to settle a federal securities class action lawsuit following the massive data breaches. The settlement includes all those who purchased Yahoo securities on the open market between April 2013 and Dec 2016.

In April 2018, the Securities and Exchange Commission announced a $35 million fine against the company formerly known as Yahoo for failing to tell investors about the massive cyber breach for two years which was the first time the regulator had punished such conduct and was described as a 'groundbreaking data breach case'.

Speak to the analyst

Want to discuss this case? We're offering a FREE 20 minute phone consultation to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:

Analyst

Courtenay Brammar

Experienced global enterprise risk and governance professional. Previously Vice President at Morgan Stanley, Deloitte Risk Advisory practitioner and PRMIA steering committee member in both London and New York.

Additional services

We offer a range of cost-effective, fixed-price training programmes and consultant services derived from the unique insights gained from all our case study data.

If you'd rather we did the heavy lifting in developing a cyber incident response plan or lessons learnt training for your organisation underpined by our unique insight into the challenges faced and strategies implemented by organisations countering today's cyber security threats then please contact us here.