Yahoo says all three billion accounts hacked in 2013 data theft

Yahoo says all three billion accounts hacked in 2013 data theft

By Jonathan Stempel and Jim Finkle

(Reuters) – Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc <VZ.N>.

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients’ claims.

“I think we have those facts now,” he said. “It’s really mind-numbing when you think about it.”

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said “recently obtained new intelligence” showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

“This is a bombshell,” said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo’s former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo’s users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc <EFX.N> and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo’s core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers’ tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to.”

(Reporting by Munsif Vengattil, Jim Finkle, Jim Christie, Jon Stempel, and David Shepardson; writing by Stephen Nellis in San Francisco; Editing by Andrew Hay and Lisa Shumaker)

German cyber agency chides Yahoo for not helping hacking probe

A photo illustration shows a Yahoo logo on a smartphone in front of a displayed cyber code and keyboard on December 15, 2016. REUTERS/Dado Ruvic/Illustration

By Andrea Shalal

BERLIN (Reuters) – Germany’s federal cyber agency said on Thursday that Yahoo Inc <YHOO.O> had not cooperated with its investigation into a series of hacks that compromised more than one billion of the U.S. company’s email users between 2013 and 2016.

Yahoo’s Dublin-based Europe, Middle East and Africa unit “refused to give the BSI any information and referred all questions to the Irish Data Protection Commission, without, however, giving it the authority to provide information to the BSI,” Germany’s BSI computer security agency said.

A BSI spokesman said it decided to go public after Yahoo repeatedly failed to respond to efforts to look into the data breaches and garner lessons to prevent similar lapses. BSI also urged internationally active Internet service providers to work more closely with it when German customers were affected by cyber attacks and other computer security issues.

Yahoo did not respond to requests for comment, while Ireland’s data protection agency was not immediately available.

The BSI’s statement comes at a time of heightened German government concerns about Russian meddling in national elections in September, after cyber attacks on the French and U.S. presidential elections which have been linked to Russia.

The U.S. Justice Department in March charged two Russian intelligence agents and two hackers with masterminding the 2014 theft of 500 million Yahoo accounts, marking the first time the U.S. government had criminally charged Russian spies for cyber offences., while U.S. officials have charged Russian intelligence agents with involvement in at least one of the hacks that affected Yahoo.

Moscow has denied any involvement in hacking.

The BSI said it did not yet have any concrete information about the data breaches because of Yahoo’s lack of cooperation.

“Users should therefore be very careful about which services they want to use in the future and to whom they entrust their data,” BSI President Arne Schoenbohm said in a statement.

The BSI chief reiterated his recommendation that German consumers consider switching to other email service providers, adding that certifications such as those offered with C5-class cloud service security were valuable for customers.

C5 is a German government scheme to encourage cloud-based internet service providers to attest they use various safeguards against cyber attacks.

Late last year Yahoo, which has agreed to be acquired by U.S. telecoms giant Verizon <VZ.N> and is set to be merged with AOL to form a new business known as Oath, revealed a data breach dating back to 2013 of one billion user accounts.

The various disclosures led Verizon to cut the amount it was willing to pay for Yahoo by $350 million on its previously agreed $4.83 billion deal. Yahoo has said it expects the merger into Verizon to close in June.

BSI said an additional 32 million Yahoo users were affected by cyber breaches in 2015 and 2016. A spokesman for the agency said he was unaware of any additional breaches in 2017.

(Additional reporting by Eric Auchard in Frankfurt; editing by Alexander Smith)

U.S. authorities charge Russian spies, hackers in huge Yahoo hack

The John Sopinka Courthouse, where Karim Baratov appeared in front of a judge, in connection with a U.S. Justice Department investigation into the 2014 hacking of Yahoo, is pictured in Hamilton, Ontario, Canada March 15, 2017 . REUTERS/Peter Power

By Dustin Volz

WASHINGTON (Reuters) – The United States on Wednesday charged two Russian intelligence agents and two hackers with masterminding the 2014 theft of 500 million Yahoo accounts, the first time the U.S. government has criminally charged Russian spies for cyber offences.

The charges came amid a swirl of controversies relating to alleged Kremlin-backed hacking of the 2016 U.S. presidential election and possible links between Russian figures and associates of U.S. President Donald Trump. This has given rise to uncertainty about whether Trump is willing to respond forcefully to any action by Moscow in cyberspace and elsewhere.

The 47-count Justice Department indictment included charges of conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud and aggravated identify theft. It painted a picture of the Russian security services working hand-in-hand with cyber criminals, who helped spies further their intelligence goals in exchange for using the same exploits to make money.

“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cyber crime matters, is beyond the pale,” Acting Assistant Attorney General Mary McCord said at a press conference announcing the charges.

Russia’s Federal Security Service (FSB) is the successor to the KGB.

The Kremlin, which denies Russia tried to influence the U.S. election in any way, said on Thursday Moscow had received no official notification of the indictment, but hoped it would.

However, Dmitry Peskov, President Vladimir Putin’s spokesman, dismissed out of hand the idea that FSB employees could have been involved in the Yahoo hack.

“We have said repeatedly that there can be no discussion of any official involvement of any Russian agency, including the FSB…in any unlawful cyber activities,” said Peskov, who has cast U.S. allegations against Russia as part of a political campaign to kill off a U.S.-Russia rapprochement.

Yahoo said when it announced the then-unprecedented breach last September that it believed the attack was state-sponsored, and on Wednesday the company said the indictment “unequivocally shows” that to be the case.

The charges announced Wednesday are not related to the hacking of Democratic Party emails during the 2016 U.S. presidential election. U.S. intelligence agencies have said they were carried out by Russian spy services, including the FSB, to help the campaign of Republican candidate Donald Trump.

The indictment named the FSB officers involved as Dmitry Dokuchaev and his superior, Igor Sushchin, who are both in Russia.

Dokuchaev was arrested for treason in December, according to the Russian news agency Interfax.

Reuters sent a request for comment to the FSB in Moscow on Wednesday evening but there was no response.

The alleged criminals involved in the scheme include Alexsey Belan, who is among the FBI’s most-wanted cyber criminals and was arrested in Europe in June 2013 but escaped to Russia before he could be extradited to the United States, according to the Justice Department.

Karim Baratov, who was born in Kazakhstan but has Canadian citizenship, was also named in the indictment.

The Justice Department said Baratov was arrested in Canada on Tuesday. Mark Pugash of Toronto police later confirmed the Tuesday arrest.

McCord said the hacking campaign was waged by the FSB to collect intelligence but that the two hackers used the collected information as an opportunity to “line their pockets.”

The United States does not have an extradition treaty with Russia, but McCord said she was hopeful Russian authorities would cooperate in bringing criminals to justice. The United States often charges cyber criminals with the intent of deterring future state-sponsored activity.

The administration of former President Barack Obama brought similar charges against Chinese and Iranian hackers who have not been extradited.

In a statement, White House spokesman Michael Anton said the charges “are part of a broad effort across the government to defend the United States against cyber attacks and cyber-related crimes.”

‘RED NOTICE’

Yahoo in December announced another breach that occurred in 2013 affecting one billion accounts. Special Agent Jack Bennett of the FBI’s San Francisco Division said the 2013 breach is unrelated and that an investigation of that incident is ongoing.

The hacks forced Yahoo to accept a discount of $350 million in what had been a $4.83 billion deal to sell its main assets to Verizon Communications Inc <VZ.N>.

At least 30 million of the Yahoo accounts in the 2014 breach were the most seriously affected, with Belan able to burrow deep into their accounts and take user contact lists that were later used for a financially motivated spam campaign, according to the indictment. Belan also stole financial information such as credit card numbers and gift cards, it said.

Yahoo had previously said about 32 million accounts had fallen victim to the deeper attack, which it said leveraged forged browser cookies to access accounts without the need for a password.

According to the indictment, FSB officers Sushchin and Dokuchaev also directed Baratov to use the information gained in the Yahoo breach to hack specific targets who possessed email accounts with other service providers, including Google.

When Baratov was successful, Dokuchaev would reward him with a bounty, the indictment charged.

Examples where Google accounts were targeted include an assistant to the deputy chairman of the Russian Federation, an officer of the Russian Ministry of Internal Affairs, and a physical training expert employed by the Russian government.

Details in the indictment reflect the often murky relationship in Russia between criminal hackers and government intelligence officers.

Interpol issued a “red notice” on Belan in relation to an earlier hacking campaign, according to the indictment. Instead of arresting Belan, however, the FSB recruited him to help with cyber espionage and provided tools to evade detection from other authorities.

Belan later gained unauthorized access to Yahoo’s network that he shared with FSB, the indictment said.

(Reporting by Dustin Volz in Washington and Joseph Menn in San Francisco; Additional reporting by Julia Edwards in Washington and Alexander Winning and Dasha Afanasieva in Moscow; Editing by Jeffrey Benkoe and James Dalgleish)

U.S. indicts Russian spies, hackers over massive Yahoo hack

Acting AAG for National Security Mary McCord speaks in front of a poster of a suspected Russian hacker during FBI National Security Division and the U.S. Attorney's Office for the Northern District of California joint news conference at the Justice Department in Washington, U.S., March 15, 2017. REUTERS/Yuri Gripas

By Dustin Volz

WASHINGTON (Reuters) – The U.S. government on Wednesday unsealed charges against two Russian spies and two criminal hackers for allegedly pilfering 500 million Yahoo user accounts in 2014.

The indictments, announced at a news conference in Washington, represent the first time the U.S. government has criminally charged Russian officials for cyber offenses.

The contents of at least 30 million accounts were accessed as part of a spam campaign and at least 18 people who used other internet service providers, such as Google, were also victimized, the government charged.

The officers of the FSB, Russia’s Federal Security Service, which is a successor to the KGB, were identified as Dmitry Dokuchaev and his superior, Igor Sushchin, the government said.

Both men are in Russia, it said.

Alexsey Belan, who is on the list of most-wanted cyber criminals, and Karim Baratov, who was born in Kazakhstan but has Canadian citizenship, were also named in the indictment.

The Justice Department said Baratov was arrested in Canada on Tuesday and his case is pending with Canadian authorities.

Belan was arrested in Europe in June 2013 but escaped to Russia before he could be extradited to the United States, according to the Justice Department.

“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cyber crime matters, is beyond the pale,” said Acting Assistant Attorney General Mary McCord.

McCord said the hacking campaign was waged by the FSB to collect intelligence but that the two hackers used the collected information as an opportunity to “line their pockets.”

The United States does not have an extradition treaty with Russia, but McCord said she was hopeful Russian authorities would cooperate in bringing criminals to justice. The United States often charges cyber criminals with the intent of deterring future state-sponsored activity.

The administration of former President Barack Obama brought similar charges against Chinese and Iranian hackers who have not been extradited.

The 47-count indictment includes conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud and aggravated identify theft.

The charges are not related to the hacking of Democratic Party emails during the 2016 U.S. presidential election. Intelligence agencies have said they were carried out by Russia to help the campaign of Republican candidate Donald Trump.

Yahoo said when it announced the then-unprecedented breach last September that it believed the attack was state-sponsored, and on Wednesday the company said the indictment “unequivocally shows” that to be the case.

Yahoo in December also announced a breach that occurred in 2013 affecting one billion accounts, though it has not linked that intrusion to the one in 2014.

The Russian hacking conspiracy, which began as early as 2014, allowed Belan to use his relationship with the Russian spy agency and access to Yahoo’s network to engage in financial crimes, according to the indictment.

The breaches were the latest in a series of setbacks for the Internet pioneer, which has fallen on hard times in recent years after being eclipsed by younger, fast-growing rivals including Alphabet Inc’s Google and Facebook Inc.

Yahoo’s disclosure of the years-old cyber invasions and its much-criticized slow response forced it to accept a discount of $350 million in what had been a $4.83 billion deal to sell its main assets to Verizon Communications Inc.

Shares of Yahoo were down 0.9 percent.

“We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cyber crime,” Chris Madsen, Yahoo’s assistant general counsel, said in a statement.

(Reporting by Dustin Volz and Joseph Menn; Additional reporting by Julia Edwards; Editing by Jeffrey Benkoe and James Dalgleish)

Yahoo says about 32 million accounts accessed using ‘forged cookies’

A photo illustration shows a Yahoo logo on a smartphone in front of a displayed cyber code and keyboard on December 15, 2016. REUTERS/Dado Ruvic/File Illustration - RTX2VKYK

(Reuters) – Yahoo Inc <YHOO.O>, which disclosed two massive data breaches last year, said on Wednesday that about 32 million user accounts were accessed by intruders in the last two years using forged cookies.

The company said some of the latest intrusions can be connected to the “same state-sponsored actor believed to be responsible for the 2014 breach”, in which at least 500 million accounts were affected.

“Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies,” Yahoo said in its latest annual filing.

These cookies have been invalidated so they cannot be used to access user accounts, the company said.

Forged cookies allow an intruder to access a user’s account without a password.

Yahoo also said in December that data from more than 1 billion user accounts was compromised in August 2013, making it the largest breach in history.

The company said on Wednesday that it would not award Chief Executive Marissa Mayer a cash bonus for 2016, following the independent committee’s findings related to the 2014 security incident.

Mayer has also offered to forgo any 2017 annual equity award as the breaches occurred during her tenure, Yahoo said.

Last month, Verizon Communications Inc <VZ.N>, which is in the process of buying Yahoo’s core assets, lowered its original offer by $350 million to $4.48 billion.

(Reporting by Rishika Sadam in Bengaluru; Editing by Anil D’Silva)

Yahoo email scan shows U.S. spy push to recast constitutional privacy

Yahoo logo near cyber screen

By Joseph Menn

(Reuters) – Yahoo Inc’s secret scanning of customer emails at the behest of a U.S. spy agency is part of a growing push by officials to loosen constitutional protections Americans have against arbitrary governmental searches, according to legal documents and people briefed on closed court hearings.

The order on Yahoo from the secret Foreign Intelligence Surveillance Court (FISC) last year resulted from the government’s drive to change decades of interpretation of the U.S. Constitution’s Fourth Amendment right of people to be secure against “unreasonable searches and seizures,” intelligence officials and others familiar with the strategy told Reuters.

The unifying idea, they said, is to move the focus of U.S. courts away from what makes something a distinct search and toward what is “reasonable” overall.

The basis of the argument for change is that people are making much more digital data available about themselves to businesses, and that data can contain clues that would lead to authorities disrupting attacks in the United States or on U.S. interests abroad.

While it might technically count as a search if an automated program trawls through all the data, the thinking goes, there is no unreasonable harm unless a human being looks at the result of that search and orders more intrusive measures or an arrest, which even then could be reasonable.

Civil liberties groups and some other legal experts said the attempt to expand the ability of law enforcement agencies and intelligence services to sift through vast amounts of online data, in some cases without a court order, was in conflict with the Fourth Amendment because many innocent messages are included in the initial sweep.

“A lot of it is unrecognizable from a Fourth Amendment perspective,” said Orin Kerr, a former federal prosecutor and Georgetown University Law School expert on surveillance. “It’s not where the traditional Fourth Amendment law is.”

But the general counsel of the Office of the Director of National Intelligence (ODNI), Robert Litt, said in an interview with Reuters on Tuesday that the legal interpretation needed to be adjusted because of technological changes.

“Computerized scanning of communications in the same way that your email service provider scans looking for viruses – that should not be considered a search requiring a warrant for Fourth Amendment purposes,” said Litt. He said he is leaving his post on Dec. 31 as the end of President Barack Obama’s administration nears.

DIGITAL SIGNATURE

Reuters was unable to determine what data, if any, was handed over by Yahoo after its live email search. The search was first reported by Reuters on Oct. 4. Yahoo and the National Security Agency (NSA) declined to explain the basis for the order.

The surveillance court, whose members are appointed by U.S. Supreme Court Chief Justice John Roberts, oversees and approves the domestic pursuit of intelligence about foreign powers. While details of the Yahoo search are classified, people familiar with the matter have told Reuters it was aimed at isolating a digital signature for a single person or small team working for a foreign government frequently at odds with America.

The ODNI is expected to disclose as soon as next month an estimated number of Americans whose electronic communications have been caught up in online surveillance programs intended for foreigners, U.S. lawmakers said.

The ODNI’s expected disclosure is unlikely to cover such orders as the one to Yahoo but would encompass those under a different surveillance authority called section 702. That section allows the operation of two internet search programs, Prism and “upstream” collection, that were revealed by former NSA contractor Edward Snowden more than three years ago. Prism gathers the messaging data of targets from Alphabet Inc’s Google, Facebook, Microsoft, Apple among others.

Upstream surveillance allows the NSA to copy web traffic to search data for certain terms called “selectors,” such as email addresses, that are contained in the body of messages. ODNI’s Litt said ordinary words are not used as selectors.

The Fourth Amendment applies to the search and seizure of electronic devices as much as ordinary papers. Wiretaps and other surveillance in the internet age are now subject to litigation across the United States. But in the FISC, with rare exceptions, the judges hear only from the executive branch.

Their rulings have been appealed only three times, each time going to a review board. Only the government is permitted to appeal from there, and so far it has never felt the need.

PUBLIC LEGAL CHALLENGES

The FISC’s reasoning, though, is heading into public courts. The 9th U.S. Circuit Court of Appeals on Dec. 5 cited FISC precedents in rejecting an appeal of an Oregon man who was convicted of plotting to bomb a Christmas tree lighting ceremony after his emails were collected in another investigation.

Groups such as the American Civil Liberties Union and the Electronic Frontier Foundation are fighting the expansion of legalized surveillance in Congress and in courts.

On Dec. 8, the ACLU argued in the 4th U.S. Circuit Court of Appeals that a lawsuit by Wikipedia’s parent group against the NSA should not have been dismissed by a lower court, which ruled that the nonprofit could not show it had been snooped on and that the government could keep details of the program secret.

The concerns of civil libertarians and others have been heightened by President-elect Donald Trump’s nomination of conservative Representative Mike Pompeo of Kansas to be director of the CIA. Pompeo, writing in the Wall Street Journal in January, advocated expanding bulk collection of telephone calling records in pursuit of Islamic State and its sympathizers who could plan attacks on Americans. Pompeo said the records could be combined with “publicly available financial and lifestyle information into a comprehensive, searchable database.”

Yahoo’s search went far beyond what would be required to monitor a single email account. The company agreed to create and then conceal a special program on its email servers that would check all correspondence for a specific string of bits.

Trawling for selectors is known as “about” searching, when content is collected because it is about something of interest rather than because it was sent or received by an established target. It is frequently used by the NSA in its bulk upstream collection of international telecom traffic.

The Privacy and Civil Liberties Oversight Board, an appointed panel established by Congress as part of its post-9/11 expansion of intelligence authority, reported in 2014 that “about” searches “push the program close to the line of constitutional reasonableness.”

A glimpse of the new legal arguments came in a FISC proceeding last year held to review NSA and FBI annual surveillance targets and four sets of procedures for limiting the spread of information about Americans.

Judge Thomas Hogan appointed Amy Jeffress, an attorney at Arnold and Porter and a former national security prosecutor, to weigh in, the first time that court had asked an outside privacy expert for advice before making a decision.

Jeffress argued each search aimed at an American should be tested against the Fourth Amendment, while prosecutors said that only overall searching practice had to be evaluated for “reasonableness.” Hogan agreed with the government, ruling that even though the Fourth Amendment was all but waived in the initial data gathering because foreigners were the targets, the voluminous data incidentally gathered on Americans could also be used to investigate drug deals or robberies.

“While they are targeting foreign intelligence information, they are collecting broader information, and there needs to be strong protections for how that information is used apart from national security,” Jeffress told Reuters.

ODNI’s Litt wrote in a February Yale Law Review article that the new approach was appropriate, in part because so much personal data is willingly shared by consumers with technology companies. Litt advocated for courts to evaluate “reasonableness” by looking at the entirety of the government’s activity, including the degree of transparency.

Litt told Reuters that he did not mean, however, that the same techniques in “about” searches should be pushed toward the more targeted searches at email providers such as Yahoo.

Although speaking generally, he said: “My own personal approach to this is you should trade off broader collection authority for stricter use authority,” so that more is taken in but less is acted upon.

This position strikes some academics and participants in the process as a remarkable departure from what the highest legal authority in the land was thinking just two years ago.

That was when the Supreme Court’s Roberts wrote for a majority in declaring that mobile phones usually could not be searched without warrants.

After prosecutors said they had protocols in place to protect phone privacy, Roberts wrote: “Probably a good idea, but the Founders did not fight a revolution to gain the right to government agency protocols.”

With little evidence that the Supreme Court agrees with the surveillance court, it remains possible it would reverse the trend. But a case would first need to make its way up there.

(Reporting by Joseph Menn in San Francisco; additional reporting by Dustin Volz, Mark Hosenball and John Walcott in Washington; Editing by Jonathan Weber and Grant McCool)

Yahoo under scrutiny after latest hack, Verizon seeks new deal terms

Yahoo logo on smartphone

By Greg Roumeliotis and Jessica Toonkel

NEW YORK (Reuters) – Yahoo Inc <YHOO.O> came under renewed scrutiny by federal investigators and lawmakers on Thursday after disclosing the largest known data breach in history, prompting Verizon Communications Inc <VZ.N> to demand better terms for its planned purchase of Yahoo’s internet business.

Shares of the Sunnyvale, California-based internet pioneer fell more than 6 percent after it announced the breach of data belonging to more than 1 billion users late on Wednesday, following another large hack reported in September.

Verizon, which agreed to buy Yahoo’s core internet business in July for $4.8 billion, is now trying to persuade Yahoo to amend the terms of the acquisition agreement to reflect the economic damage from the two hacks, according to people familiar with the matter.

The U.S. No. 1 wireless carrier still expects to go through with the deal, but is looking for “major concessions” in light of the most recent breach, according to another person familiar with the situation.

Asked about the status of the deal, a Yahoo spokesperson said: “We are confident in Yahoo’s value and we continue to work towards integration with Verizon.”

Verizon had already said in October it was reviewing the deal after September’s breach disclosure. Late on Wednesday, it said it would “review the impact of this new development before reaching any final conclusions” about whether to proceed.

The company declined to comment beyond that statement on Thursday.

Verizon has threatened to go to court to get out of the deal if it is not repriced, citing a material adverse effect, said the people familiar with the matter, who asked not to be identified because the negotiations are confidential.

No court in Delaware, where Yahoo is incorporated, has ever found that a material adverse effect has occurred that would allow companies to terminate a merger agreement.

Nevertheless, the threat of a court case on the issue has been successfully used by companies to renegotiate deals, and experts said that some concessions from Yahoo are likely, given the magnitude of the cyber security breaches.

Renegotiating the deal’s price tag would be the simplest but also least likely scenario because the impact of the data breaches will not be apparent for some time, according to Erik Gordon, a professor at the University of Michigan’s Ross School of Business.

A more likely concession would be for Yahoo to agree to compensate Verizon after the close of the deal, based on the liabilities that occur. The two companies may also agree to extend the close of the deal to allow for more time for information to come in on the impact of the breaches, Gordon suggested.

Verizon shares rose 0.4 percent to close at $51.81, in line with the S&P 500 Index <.SPX>. Yahoo closed down 6.1 percent at $38.41.

BIGGEST BREACH

Yahoo said late on Wednesday that it had uncovered a 2013 cyber attack that compromised data of more than 1 billion user accounts, the largest known breach on record.

It said the data stolen may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

The company added that some of its partners were affected. One such partner, Europe’s Sky Plc <SKYB.L>, said Yahoo provides email services to its 2.1 million Sky.com email account holders, but it was unclear how many of those accounts were affected.

The announcement followed Yahoo’s disclosure in September of a separate breach that affected over 500 million accounts, which the company said it believed was launched by different hackers.

The White House said on Thursday the U.S. Federal Bureau of Investigation was probing the breach. Several lawsuits seeking class-action status on behalf of Yahoo shareholders have been filed, or are in the works.

Meanwhile, Democratic Senator Mark Warner of Virginia said he was looking into Yahoo’s cyber security practices.

“This most-recent revelation warrants a separate follow-up and I plan to press the company on why its cyber defenses have been so weak as to have compromised over a billion users,” he said in a statement.

Warner, who will become the top Democrat on the Senate Intelligence Committee next year, described the hacks as “deeply troubling.”

New York Attorney General Eric Schneiderman urged anyone with a Yahoo account to change their passwords and security questions and said he is examining the breach’s circumstances and the company’s disclosures to law enforcement.

Germany’s cyber security authority, the Federal Office for Information Security (BSI), advised German consumers to consider switching to safer alternatives for email, and criticized Yahoo for failing to adopt modern encryption techniques to protect users’ personal data.

“Considering the repeated cases of data theft, users should look more closely at which services they want to use in the future and security should play a part in that decision,” BSI President Arne Schoenbohm said in a statement.

The latest breach drew widespread criticism from security experts, several advising consumers to close their Yahoo accounts.

“Yahoo has fallen down on security in so many ways I have to recommend that if you have an active Yahoo email account, either direct with Yahoo of via a partner like AT&T, get rid of it,” Stu Sjouwerman, chief executive of cyber security firm KnowBe4 Inc, said in a broadly distributed email.

A Yahoo spokesperson, in response to criticism of the company’s security measures, said on Thursday: “We’re committed to keeping our users secure, both by continuously striving to stay ahead of ever-evolving online threats and to keep our users and platforms secure.”

(Reporting by Greg Roumeliotis and Jessica Toonkel in New York and Dustin Volz in Washington; Additional reporting by Liana Baker, Anna Driver, Eric Auchard and Michael Erman; Writing by Jim Finkle and Jonathan Weber; Editing by Bill Trott and Bill Rigby)

Dozens of U.S. lawmakers request briefing on Yahoo email scanning

Yahoo Mail logo

By Dustin Volz

WASHINGTON (Reuters) – A bipartisan group of 48 lawmakers in the U.S. House of Representatives on Friday asked the Obama administration to brief Congress “as soon as possible” about a 2015 Yahoo <YHOO.O> program to scan all of its users’ incoming email at the behest of the government.

The request comes amid scrutiny by privacy advocates and civil liberties groups about the legal authority and technical nature of the surveillance program, first revealed by Reuters last week. Custom software was installed to search messages to hundreds of millions of accounts under an order issued by the secretive Foreign Intelligence Surveillance Court.

“As legislators, it is our responsibility to have accurate information about the intelligence activities conducted by the federal government,” according to the letter, organized by Republican Representative Justin Amash of Michigan and Democratic Representative Ted Lieu of California.

“Accordingly, we request information and a briefing as soon as possible for all members of Congress to resolve the issues raised by these reports.”

Investigators searched for messages that contained a single piece of digital content linked to a foreign state sponsor of terrorism, sources have told Reuters, though the nature of the content remains unclear.

Intelligence officials said Yahoo modified existing systems used to stop child pornography and filter spam messages on its email service.

But three former Yahoo employees told Reuters the court-ordered search was done by a module buried deep near the core of the company’s email server operation system, far below where mail sorting was handled.

The Senate and House intelligence committees were given a copy of the order when it was issued last year, sources said, but other members of Congress have express concern at the scope of the email scanning.

Some legal experts have questioned the breadth of the court order and whether it runs afoul of the U.S. Constitution’s Fourth Amendment protections against unreasonable searches.

Half of registered U.S. voters believe the Yahoo program violated the privacy of customers, according to a poll of 1,989 people conducted last week by Morning Consult, a polling and media company.

Twenty-five percent were supportive of the program because of its potential to stop criminal acts, the survey found, while another quarter did not know or had no opinion.

The congressional letter is addressed to Attorney General Loretta Lynch and Director of National Intelligence James Clapper.

(Additional reporting by Mark Hosenball and Joseph Menn; Editing by Jeffrey Benkoe)

Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence – sources

Yahoo billboard

By Joseph Menn

SAN FRANCISCO (Reuters) – Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.

According to two of the former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.

Through a Facebook spokesman, Stamos declined a request for an interview.

The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment.

The request to search Yahoo Mail accounts came in the form of a classified edict sent to the company’s legal team, according to the three people familiar with the matter.

U.S. phone and Internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they had not previously seen either such a broad demand for real-time Web collection or one that required the creation of a new computer program.

“I’ve never seen that, a wiretap in real time on a ‘selector,'” said Albert Gidari, a lawyer who represented phone and Internet companies on surveillance issues for 20 years before moving to Stanford University this year. A selector refers to a type of search term used to zero in on specific information.

“It would be really difficult for a provider to do that,” he added.

Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.

Alphabet Inc’s Google and Microsoft Corp, two major U.S. email service providers, separately said on Tuesday that they had not conducted such email searches.

“We’ve never received such a request, but if we did, our response would be simple: ‘No way’,” a spokesman for Google said in a statement.

A Microsoft spokesperson said in a statement, “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.” The company declined to comment on whether it had received such a request.

CHALLENGING THE NSA

Under laws including the 2008 amendments to the Foreign Intelligence Surveillance Act, intelligence agencies can ask U.S. phone and Internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks.

Disclosures by former NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and led U.S. authorities to modestly scale back some of the programs, in part to protect privacy rights.

Companies including Yahoo have challenged some classified surveillance before the Foreign Intelligence Surveillance Court, a secret tribunal.

Some FISA experts said Yahoo could have tried to fight last year’s demand on at least two grounds: the breadth of the directive and the necessity of writing a special program to search all customers’ emails in transit.

Apple Inc made a similar argument earlier this year when it refused to create a special program to break into an encrypted iPhone used in the 2015 San Bernardino massacre. The FBI dropped the case after it unlocked the phone with the help of a third party, so no precedent was set.

“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.

Some FISA experts defended Yahoo’s decision to comply, saying nothing prohibited the surveillance court from ordering a search for a specific term instead of a specific account. So-called “upstream” bulk collection from phone carriers based on content was found to be legal, they said, and the same logic could apply to Web companies’ mail.

As tech companies become better at encrypting data, they are likely to face more such requests from spy agencies.

Former NSA General Counsel Stewart Baker said email providers “have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies.”

SECRET SIPHONING PROGRAM

Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter.

Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo’s challenge was unsuccessful.

Some Yahoo employees were upset about the decision not to contest the more recent edict and thought the company could have prevailed, the sources said.

They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

Stamos’s announcement in June 2015 that he had joined Facebook did not mention any problems with Yahoo. (http://bit.ly/2dL003k)

In a separate incident, Yahoo last month said “state-sponsored” hackers had gained access to 500 million customer accounts in 2014. The revelations have brought new scrutiny to Yahoo’s security practices as the company tries to complete a deal to sell its core business to Verizon Communications Inc for $4.8 billion.

(Reporting by Joseph Menn; Editing by Jonathan Weber and Tiffany Wu)

Senators accuse Yahoo of ‘unacceptable’ delay in hack discovery

Yahoo CEO Marissa Mayer delivers her keynote address at the annual Consumer Electronics Show (CES) in Las Vegas, Nevada

By Dustin Volz

WASHINGTON (Reuters) – Six Democratic U.S. senators on Tuesday said it was “unacceptable” that Yahoo only last week announced a 2014 hack into 500 million user accounts and asked embattled CEO Marissa Mayer for more information about the company’s investigation into the data breach.

The lawmakers said they were “disturbed” the two-year-old intrusion was detected so long after the hack occurred.

“That means millions of Americans’ data may have been compromised for two years,” the senators wrote in a joint letter addressed to Mayer. “This is unacceptable.”

Yahoo did not immediately respond to a request for comment about the letter.

Yahoo has faced mounting questions about exactly when it knew about the 2014 cyber attack that exposed the email credentials of users, a critical issue for the company as it seeks to prevent the breach from affecting a pending takeover of its core business by Verizon Inc.

The internet firm has said it detected the breach this summer after conducting a security review prompted by an unrelated hack claim that turned out to be meritless. Yahoo has not given a precise timeline explaining when it was made aware of the 2014 attack, or if it knew of the breach before announcing the deal with Verizon in late July.

The senators requested a briefing from Yahoo to explain the company’s investigation into the breach, its cooperation with law enforcement and national security authorities, and plans to protect affected users.

The letter was signed by Senators Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Ron Wyden and Edward Markey.

The senators asked Mayer for a timeline of the hack and its discovery and how such a large breach went undetected for so long. They also asked what Yahoo was doing to prevent another breach in the future, if the company has changed its security protocols, and whether the U.S. government had warned of a possible hacking attempt.

The letter came a day after Democratic Senator Mark Warner asked the U.S. Securities and Exchange Commission to investigate whether Yahoo and its senior executives fulfilled obligations to inform investors and the public about the hacking attack, which Yahoo has blamed on a “state-sponsored actor.”

(Reporting by Dustin Volz; Editing by Chizu Nomiyama and Andrew Hay)