Yahoo on Thursday reported the largest data breach in history - affecting at least 500 million user accounts - months after first detecting signs of an intrusion that the company blamed on "state-sponsored" hackers.
The Web giant called on customers to change their passwords and institute other protective measures, but the largest fallout could be for Yahoo itself. The long-faltering company this summer agreed to sell its core business for $4.8 billion to telecommunications giant Verizon in a deal now clouded by news of the massive breach. Verizon said it learned of the incident only "within the last two days."
The timeline highlighted a dilemma created by hacks: Companies often take months or even years to report suspicions of breaches - if they report them publicly at all - holding the information back from customers, business partners and even potential new owners of a company.
"The dark cloud this casts will be very long and will likely impact the merger agreement," Jeff Kagan, a Georgia-based telecommunications industry analyst, said in an email. "We'll just have to wait and see what happens next."
Yahoo learned of the incident in July, the same month it announced its deal with Verizon, a person familiar with the matter said, speaking on condition of anonymity to freely discuss the issue.
When asked, Yahoo declined to say whether it learned of the hack before or after that deal was announced.
Yahoo revealed the breach after recode, a news site focusing on Silicon Valley, reported Thursday morning that the ailing tech giant would confirm a data breach affecting hundreds of millions of accounts.
Yahoo reported that the intrusion apparently began in 2014.
The number of affected accounts, by reaching 500 million, gave it the dubious distinction of being the largest breach on record, said Paul Stephens of the Privacy Rights Clearinghouse.
Stephens said that consumers must also take steps to take care of matters themselves, outside of their Yahoo accounts. "It's really important that individuals think long and hard about passwords as well as security questions and answers they used on Yahoo that they might have used somewhere else," Stephens said. "It's very important to remember that if that information is available to hackers, they are going to try and use it on other sites, as well."
Company Chief Information Security Officer Bob Lord wrote in a blog post that names, email address, telephone numbers, dates of birth and answers to security questions may have been stolen but that financial information such as credit card numbers apparently was not because that data was stored in a separate system.
"Yahoo is working closely with law enforcement on this matter," Lord wrote.
Sen. Mark Warner, D-Virginia, chastised Yahoo for not reporting suspicions of a breach sooner and called on the federal government to impose stricter disclosure requirements for companies. Companies face a messy patchwork of state disclosure laws but no federal standard for reporting about breaches, including when, how and who was affected.
"While its scale puts it among the largest on record, I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today," Warner said in a statement. "Action from Congress to create a uniform data breach notification standard so that consumers are notified in a much more timely manner is long overdue."
Although President Barack Obama proposed a federal law in 2015 that would give companies 30 days to notify the public about a discovered hack, lawmakers have yet to approve a national standard.
On Thursday, Sen. Richard Blumenthal, D-Connecticut, called on investigators to determine whether Yahoo intentionally withheld information about the incident to "artificially bolster its valuation" by Verizon - a potentially serious act of deception.
The impact on Verizon's deal with Yahoo was not immediately clear. Major data breaches have become a routine event for corporate America and also for major government agencies and political groups. The Yahoo intrusion stands out for the sheer scale of the customers apparently affected, a legacy of the company's once-commanding position for Internet users who turned to the company for Web searches, email accounts, user groups and news reports.
The Verizon deal was seen as a relatively soft landing for Yahoo, a company overtaken by competitors in nearly every one of its major businesses.
Verizon, in a statement, said it was monitoring news of the breach. "We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," the company said. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."
The security breach is yet another bruise for the aging tech firm and chief executive Marissa Mayer, who joined Yahoo in 2012 to effect a turnaround and ended up having to sell the firm's core assets instead.
Microsoft's recent acquisition of LinkedIn, which came one month after the social network revealed that 167 million of its accounts had been breached, show a breach alone is not necessarily enough to derail a deal, said John Lovallo, senior vice president at the public relations and strategic communications firm Levick.
But he said the tech giant will be hard-pressed to rehabilitate its overall reputation in light of this breach.
"Focus on the consumer and not the deal," Lovallo said. "If I were in that boardroom at this moment in time, I would say, 'We understand there's a huge deal on the table right now.' But first address and resolve the issue for your consumers, and the transaction will take care of itself."
Yahoo has had a poor security reputation in the past, one of the many things that Mayer has focused on since becoming chief executive.
Vice's Motherboard blog in August reported that Yahoo was investigating an alleged breach after the news organization found that a cybercriminal known as "Peace" claimed to be offering 200 million Yahoo user credentials for sale online. The data was advertised on the "dark Web" - a part of the Internet accessible only through the use of special software such as the anonymous browsing tool Tor and often associated with illicit activities.
Here are some answers to basic questions that you may have about the breach.
What information has been hacked?
Yahoo's chief information security officer, Bob Lord said in a blog post that account information taken "may have" included names, email address, telephone numbers and dates of birth. Lord also said that password information -- though not passwords in plain text -- may have been stolen, as well as some answers to security questions.
How about financial information?
Yahoo is still investigating, but thus far Lord said financial information, including credit card numbers and payment card data, were not accessed; that information is stored in a separate system.
Still, users should check their credit scores to see if any new accounts have been opened in their name, as this type of personal information can be used as a key to get enough information to open an account.
How do I know if I've been affected?
Yahoo will be contacting potentially affected users by email. You can see the email text here.
Also, beware of scam emails that may reference the Yahoo breach to try and pull more information out of you, by asking you to "verify" information.
What should I do on my Yahoo account?
Users will be asked to change their passwords. Any unencrypted security questions and answers will be invalidated, meaning that users will have to submit new ones. Yahoo is also asking anyone who hasn't changed their password since 2014 to do so for good measure.
Does Yahoo have a place where I can find all this information?
The company has also set up a frequently asked questions page for anyone who may have been affected by the breach.
Is there anything else I should do?
Yes. Paul Stephens, of the Privacy Rights Clearinghouse, advised that Yahoo users think about the repercussions this may have on their non-Yahoo accounts as well. Any password, username or security question that you've used on your Yahoo account may now be in the hands of hackers, who are likely going to try and use that information on other sites.