Since Yahoo admitted on Sept. 22 that a 2014 hack compromised half a billion user accounts, a key question has been: how long has it known?
The Financial Times reported (paywall) on Sept 23 that CEO Marissa Mayer knew Yahoo was looking into a possible hack back in July. This looks bad, since in late July, as it was selling itself for $4.8 billion to Verizon, Yahoo told the telco that it didn’t know of any such security incidents. Now Yahoo’s not only saying it was hacked; Verizon learned of the hack only two days before (paywall) the news went public. What gives?
The first thing to note is: no one’s lying—as far as we can tell, any way. That’s because we’re talking about two separate incidents here: one of an alleged hack that surfaced in July, and the other of the breach that was confirmed on Sept. 22.
In July, a well-known hacker who goes by the name “Peace” told Motherboard that he possessed 200 million Yahoo user details, which were going for 3 bitcoins a pop on a darknet market called TheRealDeal. Yahoo confirmed that it was ”aware” of the claim at the time. This is the incident that Mayer was aware of in July, as the FT’s anonymous source says: “Marissa was aware absolutely—she was aware and involved when Peace surfaced this allegation in July,” according to the source.
The attempt to verify Peace’s claim then led Yahoo to discover the latest breach, of 500 million user records, according to the FT. Yahoo has attributed this hack not to Peace but to a “state-sponsored actor.” What’s not clear now is when Yahoo discovered the confirmed breach. It seems a safe bet that this discovery happened sometime after Peace made his claims in late July, which is also after the Verizon deal was clinched, on July 25.
Where does this leave Verizon and Yahoo? The deal allows for the buyer to back out if some development with a “materially adverse” effect on the business takes place. The largest security breach of a consumer technology company in history would seem to qualify. But this clause is actually pretty weak, because courts rarely support its use, according to the Wall Street Journal (paywall).
What’s more likely to happen is that Verizon gets a discount on the deal. How much is anyone’s guess, although one estimate, from analysts at SunTrust, puts it at between $100 million and $200 million—not a huge saving on a $4.8 billion purchase.