Updated Dec. 15, 2016 8:30 p.m. ET
Yahoo Inc.’s move to force some users to reset their passwords following a newly disclosed security breach could disrupt the planned sale of its core assets to Verizon Communications Inc., security experts say.
Yahoo didn’t force users to reset their passwords after its September disclosure of another breach. Experts say forcing users to reset their passwords typically causes some to drop a service.
That is one reason why the newly disclosed hack—which Yahoo says occurred in 2013 and affected more than one billion accounts—could prove more disruptive to Verizon’s pending $ 4.83 billion acquisition of Yahoo’s core assets.
Verizon’s decision to walk away or push for a reduced price rests on the damage to Yahoo, which will be defined by a drop in users or engagement with its websites and services, according to a person familiar with the matter.
Verizon had been aiming to close the deal in the middle of the first quarter. If the deal goes through, closing will likely slip to the latter half of the first quarter, the person said.
In September, Yahoo disclosed that hackers it believes were state-sponsored had stolen information in late 2014 on more than 500 million accounts. Yahoo said Wednesday it doesn’t believe the two incidents are related.
Following the September disclosure, Yahoo executives suggested to investors that the breach wasn’t material, in part because it hadn’t required users to reset their passwords. When it reported third-quarter financial results in October, Yahoo said users and engagement had stayed steady.
Yahoo is forcing users to reset their passwords now because some of the material taken in the 2013 breach wasn’t encrypted, and other parts were protected by what is now considered an outdated encryption scheme, according to a person familiar with that matter.
Verizon had been close to reaching a settlement with Yahoo that involved sharing future liabilities arising from the 2014 hack, such as potential lawsuits. But the disclosure of the larger 2013 breach effectively restarts the clock as Verizon seeks to determine how badly Yahoo’s brand has been damaged.
Security experts said the newly revealed 2013 hack was particularly troubling for users, because the unidentified hackers took not only usernames, passwords and other personal details for more than one billion accounts, but also those users’ security questions and answers.
The information frequently used for security questions—such as the maiden name of the user’s mother, the user’s high school or place of birth—doesn’t change, and might be used by hackers to gain access to accounts on other services. The number of people affected isn’t clear, because some may have more than one account and some accounts may be dormant.
“It doesn’t matter if you haven’t used your Yahoo account for 10 years, your mother’s maiden name or where you met your spouse is likely to stay the same,” says Tatu Ylönen, chief executive of computer security firm SSH Communications Security Inc. “Or even if your spouse changes, your mother’s maiden name still stays the same.”
‘The danger now isn’t just with people’s Yahoo accounts. That’s where you start getting concerned.’
—Michael Geist, law professor at the University of Ottawa who specializes in internet law
Given the number of accounts involved, experts said the theft of the security questions and answers, some of which weren’t encrypted, poses new risks.
“The danger now isn’t just with people’s Yahoo accounts,” says Michael Geist, law professor at the University of Ottawa who specializes in internet law. “That’s where you start getting concerned.”
Yahoo could have taken more measures to protect the security-question data, security experts say. Andrew Komarov, chief intelligence officer with InfoArmor Inc., an information-security firm which has portions of the Yahoo database, said Yahoo appears not to have encrypted the security questions or answers.
Ideally, “the meta-data associated with the user account should be encrypted,” Mr. Komarov says.
Beginning Wednesday, Yahoo emailed users to inform them about a data security issue that “may” involve their account information. Although breach notification laws vary by state, the email likely satisfied all state requirements, according to Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, a consumer education and advocacy nonprofit focused on privacy.
In the email to users, Yahoo recommends users change their passwords and security questions and answers for any other accounts on which they used the same or similar information used for their Yahoo accounts. The email also said some users will be required to change their passwords.
—Deepa Seetharaman contributed to this article.