Late last week, Internet search and content provider Yahoo acknowledged a data breach dating to 2014 that compromised the personal information of “at least” half a billion users. That’s as many compromised records in one intrusion as were reported in the entire first half of 2016 stemming from nearly 1,000 individual breaches.
According to the company, which is involved in a pending sale of its core business to communications giant Verizon for nearly $5 billion, hijacked information includes names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. Rumors of an intrusion surfaced this summer when a hacker named “Peace” claimed to have information on 200 million of those users for sale. That led to the discovery of the hack disclosed Thursday—one of the largest in history.
While no payment-card information was reportedly at risk, a breach of this size and type normally affects merchants and financial institutions in the form of increased account takeover (ATO) fraud attempts. Because the breach is two years old, however, there may not be a surge in ATO fraud, according to Ryan Wilk, vice president of customer success at antifraud technology provider NuData Security.
“From an ATO perspective, my thought is that most of the damage is done since the breach happened in 2014,” Wilk told CardNotPresent.com. “The Yahoo accounts that are actively being used by the correct account holder and would have value to a bad actor have undoubtedly been secured by now with a password update. There may still be accounts out there that can be accessed but they are more than likely junk accounts that had no value in the first place.”
Wilk, who led fraud teams for well-known national merchants, said he might create “a few” rules around Yahoo to “keep an eye on things,” but that the damage associated with this breach is most likely in the past. The greater risk to Yahoo at the moment is Verizon leveraging the disclosure to gain a better price on the pending acquisition or walking away from it entirely.