Internet giant Yahoo is reportedly set to confirm the legitimacy of a 2012 data breach that exposed roughly 200 million customers’ accounts in a move that could have major implications for the stability of the business, several sources close to the firm have claimed.
Sources, who remain anonymous due to the sensitivity of the disclosure, said that consequences of the announcement could include government investigations or even legal action and branded the hack as “widespread and serious”.
Earlier this year, Yahoo said it was “aware” of reports that a hacker using the name “Peace” had uploaded what purported to be millions of user accounts to an underground marketplace called The Real Deal.
In exchange for the data, the hacker was asking for 3 Bitcoin (£1,395, $1,838).
The leaked data included usernames, hashed passwords and date of births. Attempts to verify the cache yielded both positive and negative results – to be expected for an older dataset. However, in the wake of the incident, Yahoo failed to enforce a password reset for its billions of users.
Now, according to Recode, when asked about the scope of the breach, one source said it was “worse, really” than previously known.
At the time the leak was made public, Yahoo toldIBTimes UK via email: “We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts.”
The multiple sources said that official confirmation of the breach – expected to come this week – could potentially impact the ongoing deal with Verizon, which purchased Yahoo’s core business back in July for $4.8 billion (£3.6bn).
The confirmation could also spook company shareholders, who will likely be concerned the major hacking blunder could impact the ongoing takeover, which is currently subject to approval by a number of regulatory bodies.
The suspected leak of Yahoo data came after a slew of other “mega-breaches” at other technology firms including Myspace, LinkedIn, Tumblr and Russian social media platform VK. Many of the datasets were uploaded by the same mysterious “Peace” hacker, however it remains unclear how the user records were initially compromised.