Company / division: Yahoo
The Yahoo breach reported before its acquisition by Verizon closed, and which had been said to affect 1 billion accounts, is now reported to have affected all 3 billion accounts Yahoo had. That could be a bit of a misleading number, given that there’s no way Yahoo had 3 billion separate customers – many of these accounts were likely dormant and duplicates of other accounts, so the actual number of people affected is likely far smaller, and the number who will have had sensitive information shared even smaller. But it’s still a staggering number. However, I’d bet that with the ongoing chatter about the Equifax hack (including the former CEO’s testimony in Congress this week), as well as the broad political story around tech companies and Russian election meddling, this will blow over really quickly and the additional fallout for Verizon and/or the Yahoo brand will be minimal. That may be sad, but no less true for that.
Verizon-Yahoo Deal Closes (Jun 13, 2017)
US Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts (Mar 15, 2017)
The stories that broke immediately before this press conference and announcement from the US DoJ suggested only that Russian nationals were involved, but the formal announcement makes clear that these were Russian agents and not just citizen hackers. That’s a good reminder that state-sponsored attacks are among the biggest things all online service companies have to worry about in our day and age, whether the state behind the hacking is Russia, China, North Korea, or some other country. Yes, ordinary hackers will still try and occasionally succeed in breaching these systems, but state sponsorship can put massively more resourced behind a hack like this and often have more success. That, in turn, raises the bar for companies vulnerable to this kind of hacking in terms of their security defenses, but should also make users think about what information they’re entrusting to these systems.
It looks like Yahoo is finally announcing the results of its independent investigation into the security breaches of the last few years, and as a result its general counsel is stepping down and CEO Marissa Mayer is losing her bonus and equity grant for the year, a decision apparently made by the board. Yahoo’s 10-K, also released today, gives a little more detail on the investigation, which was carried out by members of the board, assisted by outside counsel and a forensics expert. The investigation concluded that senior executives “did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.” That implies that it was executives and not security specialists within the company who messed up here, which explains why Mayer and general counsel Ronald Bell were punished. The paragraph on the findings is worth reading in full as it’s fairly damning about internal communication at Yahoo at the time. And yet this is all part of clearing the decks before Verizon takes over, at which point it will be hoping to put all this behind it. Not the best way for Mayer to go out, but I think that was inevitable at this point.
This is an interesting one – Mozilla is mostly still the Firefox browser company, despited repeated recent attempts to become something more, and so I wonder whether the Pocket functionality will end up being embedded into the browser as an equivalent of Safari’s Reading List feature. For now at least, it’s also going to continue to be a standalone app, which is good because I’ve been using it recently as a way to gather links from Twitter and other services to include in Tech Narratives! It’s also fascinating to think of this acquisition as being essentially funded by Yahoo, which of course now provides much of Mozilla’s revenue since it won a bidding war with Google a couple of years back. That’s another relationship that will be very interesting to watch as Verizon takes over, although the deal doesn’t expire until the end of 2019.
There was some reporting around this last week, though with several different figures for the discount on the original deal price, so I decided to wait until the new agreement was official to comment on it. The $350 million discount is not actually all that significant, which likely reflects the fact that security breaches like this don’t end up having all that much long-term impact on customer satisfaction or usage. It’s interesting that the two companies will split the cost of any future fallout other than SEC and shareholder investigations and lawsuits – I would have thought Yahoo would have picked up the tab for all costs relating to the breaches, but I guess it must have balked at that. Ironically, now the big question once again becomes whether Verizon can actually craft something compelling out of these various bits of yesteryear’s Internet. Verizon is said to be aiming to go head to head with Google and Facebook, which is a real stretch when it comes to well-targeted advertising, and I’m still very skeptical that these assets combined can ever be more than a second tier player in the online advertising market.
Yahoo’s results seem to have been well received, though it also announced that the Verizon acquisition now likely won’t close until Q2. The results themselves are a mixed bag, really – there’s been an interesting switch between search and display advertising performance over the past year, with erstwhile strength search taking something of a dive, while display advertising actually performs better. Overall revenue after traffic acquisition costs is still down year on year, but Q4 was stronger by far than the rest of 2016. Yahoo has changed the presentation of so many of its metrics that many of them are impossible to compare on a like for like basis year on year, but positive change overall is still hard to find in the results. Mostly, they’re probably better described as less bad rather than actually good. There’s plenty here for Verizon to sink its teeth into when the deal eventually does close.
via Yahoo Reports Fourth Quarter and Full Year 2016 Results – Yahoo (further coverage on Techmeme)
The only Yahoo stories I’ve covered here on Tech Narratives so far are those concerning the breaches and subsequent fallout, which is a great indicator of Yahoo’s current state – the only news it’s capable of making is negative, with no meaningful new features or products produced in recent months, while the damage from the breaches continues to reverberate, with a formal SEC investigation just the latest step. Verizon seems to be leaning towards completing its acquisition despite all this, but at the very least should secure a significant discount in the price it will pay as a result of all this. Though the user fallout will be far less severe than the negative press coverage, Verizon will still have to deal with all the ongoing ripple effects of the breaches, and that’s worth a significant cut in the acquisition price.
via Yahoo reportedly under investigation by SEC over data breaches | VentureBeat (full coverage on Techmeme)
As per a previous piece I linked to, despite all the attention the various Yahoo breaches have received in the press, they’ll likely have little impact on usage, which makes it likely Verizon will go ahead with the acquisition, though it may use the breaches as leverage to lower the price. The key point is that users have short memories, and the very people still using Yahoo (largely out of apathy in a world with better alternatives) are least likely to jump ship, which obviously helps.
This is an interesting take on the repeated Yahoo breaches and the implications, and it goes along with my gut sense that people have very short memories when it comes to security and privacy breaches. There’s lots of outrage in the short term, but it blows over very quickly, as any Google Trends search relating to a major breach will tell you. The hits keep coming with Yahoo, but ultimately I expect Verizon’s acquisition will still go through.