Why the Latest Yahoo Hack Is So Much Worse Than You Think

4 minute read

Imagine you’re about to buy a restaurant. It’s a place that was hugely popular, but has since lost its luster. Your plan is to turn it around. Before you can close the deal, the business reveals not one, but two incidents that jeopardized its patrons’ safety. The inspectors show up, demanding more information. Meanwhile, news of the problem spreads like wildfire, which will make your renovation efforts even more challenging.

That gives you an idea of the position Verizon executives find themselves in after Yahoo disclosed its second massive security breach in two months. The first affected 500 million accounts, then the largest corporate hack in history. The breach Yahoo announced this week involved 1 billion accounts. The incidents, while separate hacks, both took place two or three years ago yet were only disclosed recently.

Yahoo’s stock, which had been steadily trading above $40 a share since Verizon made a $4.8 billion offer to buy its online operations, plunged 6% Thursday as the news surrounding the latest hack grew increasingly dire. The White House said that the FBI is investigating the hack. That followed reports that its victims included more than 150,000 federal workers, including FBI, CIA, NSA employees and former diplomats. New York’s Attorney General said he would also look into the breach.

[findthebest id=”1v2En0vPKq9″ title=”Yahoo Inc. (YHOO) vs. S&P 500 Percent Change Over Time – 1 Year” width=”600″ height=”400″ url=”https://sw.graphiq.com/w/1v2En0vPKq9″ link=”http://listings.findthecompany.com/l/19200951/Yahoo-Inc-in-Sunnyvale-CA” link_text=”FindTheCompany | Graphiq”]

The news drew condemnation from officials in the U.S. and abroad. Senator Mark Warner of Virginia vowed to press Yahoo executives on “why its defenses have been so weak.” The head of a German cybersecurity agency slammed Yahoo as well, noting dryly, “There is an array of German email providers for whom security is not a foreign concept.”

The bitter pill for Verizon is that, at a time when data breaches are growing more common as well as more sophisticated, the Yahoo hack is not your typical cyberattack. Visit the site haveibeenpwned.com and you may find your email account among some of the big breaches in recent years: Target (110 million users), eBay (145 million), Adobe (152 million), LinkedIn (165 million), and MySpace (359 million).

But Yahoo’s multiple breaches are not only bigger, they’re taking years for the company to uncover, meaning more incidents could still surface. And they involve an Internet brand that was once a go-to site for news, content and email, meaning there’s plenty of sensitive data at stake. Yahoo has said that only 225 million of its accounts are actively used these days, but stolen data on passwords, birthdates and the personal questions used to verify identity remain vulnerable even for long-dormant accounts.

Yahoo offers a cautionary tale to companies that, facing a turnaround or pressure to keep costs down, opt to skimp on security budgets. Users may be accustomed to a single breach, provided the company improves security thereafter. But two massive breaches can drive even loyal users away, invite class-action lawsuits, and tarnish a brand. Verizon is potentially importing these hazards if it decides to go through with its Yahoo acquisition.

“It’s a pretty bad time for Yahoo because it’s been in acquisition negotiations with Verizon,” Troy Hunt, the security researcher who set up haveibeenpwned.com, said in an interview on Australian TV. “Not only is this [breach] double the size, but to have it demonstrate a pattern of failures on the part of Yahoo, you have to think it’s going to have a pretty serious impact on them.”

Still, Wall Street analysts didn’t appear concerned that Verizon would scuttle the Yahoo deal. They largely feel that Yahoo’s advertising technology and properties like Yahoo Sports and Yahoo Finance remain a strong fit with Verizon’s AOL unit. After Yahoo’s first data breach in September, a Verizon executive said the merger still made sense. Rather than walking away from a deal it’s coveted for a while, Verizon is likely to lower the offering price (as it did in the wake of the first breach) and to protect Verizon from any legal fallout from the hacks.

“At the end of the day, Verizon wants this property,” Oppenheimer analyst Jason Helfstein said on CNBC. “They want to put it with AOL and invest in ad technology across both brands.”

More Must-Reads from TIME

Contact us at letters@time.com