Yahoo and the Year of Living Dangerously

If there is a lesson to be drawn from Internet search giant Yahoo's hellish past year, it is a grimly illustrative one: Never assume a cybersecurity disaster can't get worse.

Last September, the Internet portal disclosed that it had suffered the most damaging and far-reaching data breach in history -- only to then announce in December the discovery of a second, earlier, and even larger hack.

Since the discovery, the sale of the company to Verizon has been put in jeopardy, as Yahoo -- which recently announced its name would be changing to "Altaba" -- began a probe into the hack that is expected to take several weeks. We may not know the full extent of these hacks' effects for years; indeed, it took years for the breaches to even be discovered.

What is known is that these travails were a long time coming. The Yahoo hacks were not acts of God, falling from the sky and striking an unlucky victim; they were the direct result of the corporation's continual neglect of information security as a vital priority for doing business.

The tragedy of Yahoo's troubles is not merely that its systems were compromised; that is a risk even the most secure online servicers may face. Rather, it is Yahoo's lack of attention to cybersecurity, such that it was unable to detect and respond to the breach, making a very bad situation into a nightmarish one.

In 2014, hackers gained access to Yahoo's main user database, pilfering credentials and personal information from at least 500 million accounts in what was the biggest data breach in history.

Perplexingly, the theft went undiscovered until September 2016, when 200 million sets of user credentials appeared for sale on a darknet website. Yahoo's failure to identify a breach of such gargantuan magnitude -- one that it would somewhat ominously claim to be a "state-sponsored" act (an accusation rejected by researchers) -- was a dark portent of things to come.

The hack reported last December seems to be worse -- much worse. That hack, which is believed to have occurred in August 2013, resulted in at least 1 billion accounts suffering theft of personal information like names, phone numbers, and dates of birth. Perhaps even more damaging was the hackers' theft of poorly encrypted Yahoo passwords, as well as unencrypted answers to security queries like "What is your mother's maiden name?" or "What was your first car?" That information is meant to easily allow users to confirm their identities when resetting account details.

Some sensible security protocols and simple, low-cost encryption could have prevented this calamity. Adding insult to injury, the theft was not discovered until government investigators and private data analysts examining the first reported hack found evidence that a mysterious "third-party" had gained access to other Yahoo data.

Incredibly, these thefts -- the largest and most damaging hacks in Internet history -- were perhaps not even the lowlight of Yahoo's year. That honor would belong to CEO Mayer's decision, at the behest of a U.S. intelligence agency, to scan the content of all Yahoo users' emails for specific phrases or attachments, a massive warrantless spy program so invasive that Yahoo's security team, uninformed of the effort, initially thought it was a hack.

It is not enough that Yahoo's security posture is moribund -- not only unable to prevent successive blitzes against billions of its users, but even to detect their occurrence. Worse, in this instance, is the fact Yahoo is as fully complicit as any hacker in exposing its customers' most sensitive personal communications: It did so without permission, simply at the demand of a government agency bearing no warrants or probable cause.

Security Tsunami Warning

What, then, will be the fallout of Yahoo's year of living dangerously? Given the enormous potential for secondary fraud on other sites using Yahoo account credentials, forcing password resets now, years after the crime, is both entirely necessary and woefully inadequate.

After years of criminals likely trading Yahoo user information on darknet marketplaces for cash, this attempt to rectify the situation is equivalent to changing the vault's combination a couple of years after a safecracker robbed the bank. In an information technology environment where Internet users commonly recycle the same credentials across the dozens of sites they regularly use, password reuse attacks are a growing threat.

Such an attack against Yahoo users has precedent, and the results could be frightening. In 2012, the login credentials of as many as 167 million accounts on business networking site LinkedIn were stolen by hackers, emerging again on darknet auction sites in May 2016.

The compromised information, which, as with Yahoo, included poorly encrypted passwords, is believed to have been responsible for numerous large-scale "password reuse" secondary attacks, including one major attack against cloud hosting platform Dropbox and 60 million of its accounts.

Given the potential for wreaking havoc, Yahoo's inadequate and outdated password encryption could have severe consequences, affecting even sites that securely encrypt their customers' passwords, through no fault of their own. This is the nightmare made possible through the theft of reused passwords: a concatenating wave of data breaches affecting website after website.

Beyond these technical threats, Yahoo's lack of transparency in combating information theft has further endangered Internet users. It is becoming clear that under Mayer's leadership, Yahoo downgraded the importance of instituting much-needed cybersecurity measures, fearing that it would alienate a fickle user base with annoying new security requirements. However, the end result will be far worse reputational damage.

A user experience that results in hackers compromising every one of your Web accounts, or stealing your identity, is far worse than the inconvenience of signing into an email account using two-factor identification.

This short-sightedness extended to Yahoo's public relations reaction: While the company would ultimately estimate that a half billion accounts were affected in the 2014 hack, the true number may be as high as 3 billion; and while Yahoo may claim any affected accounts are being identified and reset, its inability to detect even larger breaches is more than enough reason to doubt the effort's efficacy.

Fortunately, this debacle need not be entirely in vain, if some simple lessons can be absorbed. Had Yahoo made modest, sensible improvements in its security posture, the hackers might have been dissuaded from attempting such an ambitious heist, or at least been frustrated in their attempts to do so.

Cyber risk is an unavoidable aspect of Internet business today, and even in the worst-case scenario of a breach, reasonable precautions and rapid action can prevent extensive damage.

For example, when "drag-n'drop" website creator Weebly suffered a hack affecting 43 million of its users, the company's ready cooperation with observers who discovered the attack helped it to quickly issue password resets, while its strong password encryption further prevented customer sites from being accessed.

The latest breach revelation may derail Verizon's planned $4.83 billion acquisition of the search giant, but that would hardly be the greatest cost of Yahoo's incompetence.

As always, the people who will most suffer are the consumers to whom Yahoo owes its responsibility. They entrusted Yahoo with their personal information -- a trust the former No. 1 search engine has inexcusably betrayed.