Just over a month since Yahoo revealed that information associated with at least 500 million user accounts was stolen in 2014, the Internet giant has admitted that hackers had successfully intruded its systems and compromised more than one billion user accounts one year before, in 2013.

Law firm Mishcon de Reya's Cyber Security Lead, Joe Hancock, said Yahoo' latest loss is "staggering". “To put this into context Yahoo has lost records for over three times the entire US population. Given the sheer volume it is hard to believe that these breaches have gone undetected for over two years. Yahoo have attributed this breach to a state actor which is unusual, as such a large data set would usually be targeted by criminals. Without any evidence this claim is hard to believe.

"This comes at a difficult time for Yahoo, as it is unlikely to enamour itself to new owners at Verizon. After the 2013 data breach at Target, legal claims ran to millions of dollars and continued for several years. In the case of TalkTalk, the share price fell by 11.5%, before recovering. Breaches like this hit a business' balance sheet and Verizon may start to feel these liabilities directly."

The fact that this is the second Yahoo! breach that has been disclosed in the last 3 months just goes to show how deep some of these major data breaches go, according to David Gibson, VP of strategy and market development at Varonis. “Many organisations are breached just as severely as Yahoo!, but may never know as they are not actively investigating.

“Bob Lord, Yahoo!’s CISO, said that steps have been taken to secure the accounts that have been breached. I am always sceptical of statements like this. How do you know? What if the remaining accounts were breached without any evidence left behind? We don’t know what we don’t know. You almost have to concede the worst: the entirety of our data has been compromised. Perhaps more worrying is that, according to a former security engineer, Yahoo! installed a backdoor that allowed the NSA to read ALL user’s emails behind their security teams backs.”

Cybersecurity expert Javvad Malik of AlienVault said the statement should not come as a surprise to anyone.

“Companies will always be targeted and breaches will occur. The larger the company, the more likely it will be targeted and breached.

"However, it is vitally important to be able to detect a breach in a timely manner so as to either prevent the breach, to minimise the impact, or to forewarn users, customers, and shareholders so that steps can be taken to prevent being caught off guard.”

Malik says that when a breach is disclosed after three years, however, it has almost zero value. “The damage has been long done and people could have ended up victims without realising the source.

"The lack of breach detection is extremely worrying, and should serve as a reminder to all organisations of all sizes that if you hold user data, you have a responsibility to secure it.”

Share Story: