With three Yahoo! data breaches revealed in just six months, it's time for Verizon to just move on.
Yahoo, a company being snapped up by Verizon as soon as regulators give it the green light, has detailed yet another data breach and this time there are 32 million lucky winners. This is the third announcement of its kind we've heard from Yahoo in just six months, to wit: the September 2016 announcement where we learned that 500 million accounts had been breached from as far back as 2014, and the December 2016 announcement where we were told that one billion — that's billion with a b — accounts were accessed going back to 2013. For anyone with more than a passing interest in information security, this is just horrifying.
Just as horrifying was what went down this time. 32 million is a lot of anything but well shy of the 500 million or one billion numbers we've seen from Yahoo. But Reuters tells us something that should make everyone who ever had a Yahoo account even more nervous:
"Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its latest annual filing.
These cookies have been invalidated so they cannot be used to access user accounts, the company said.
Forged cookies allow an intruder to access a user's account without a password.
So we have a person or persons who was able to create valid cookies that allowed invalid access to user accounts because they got the code to make them from a Yahoo system. Yahoo changed something to make them invalid cookies, but that doesn't address the two big elephants in the room: What else did they "learn" and how did they get access to materials that taught them what to do? More importantly, what else has happened or is still happening that hasn't been caught or disclosed?
The method used to gain access to 32,000,000 accounts is even worse than the news they were breached.
The details are vague at best. Yahoo might tell us more now that the cat is out of the bag, but in any case, it's time for Verizon to call off the deal currently in front of regulators. Cutting the price by $350 million like they did the last time Yahoo told the world accounts had been breached just isn't enough. Nor is Mayer not getting her yearly cash bonus as "punishment" for 1,532,000,000 instances where someone had their privacy invaded under her watch. I can admire Yahoo coming clean while a corporate sale is pending but that doesn't change anything about how or why this can happen. Right now, Yahoo would be little more than a brick tied to Verizon's foot while they stand on the end of the pier.
There are a handful of reasons why this is bad for Verizon. They aren't getting Alibaba and nothing else Yahoo currently has can make a dime, for starters. The biggest is that they will need to keep most of the current methods, infrastructure, and personnel to keep what they are buying up and running. And those are tainted beyond repair.
Current and future Verizon customers deserve better and should be confident that their private data is being properly safeguarded. While there will be little if any crossover of account records and information, do you feel good about a company with access to a mountain of your data hitching themselves to the hot mess that is Yahoo right now?
You shouldn't. And Verizon shouldn't expect you to feel good about it. It's time to bail and spend your 4.5 billion elsewhere, Verizon.