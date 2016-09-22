(Adds comment from experts, stock moves)
By Jim Finkle
Sept 22 Yahoo Inc this week will
disclose a data breach that compromised the details of several
hundred million users, technology news site Recode reported on
Thursday, citing unnamed sources familiar with the company's
plan.
Reuters was not able to confirm the report.
It was not clear how such a disclosure might affect Yahoo's
plan to sell its email service and other core internet
properties to Verizon Communications Inc for $4.8
billion.
Representatives at Yahoo and Verizon could not be reached
for comment. Shares of both companies were up 0.5 percent in
late morning trading, compared with a 0.6 percent increase in
the Nasdaq Composite index.
If a breach is confirmed, Yahoo would likely force users to
change their passwords, said Linn Freedman, a privacy attorney
with Robinson & Cole LLP.
But Yahoo would likely not need to notify individuals
affected via mail or provide them with credit monitoring
services if the scope of the breach is limited to what has been
described in press reports.
"If no financial information or Social Security numbers are
involved, then most state laws would not require notification
and credit monitoring would not be applicable," Freedman said.
Recode's report follows an Aug. 1 story on the technology
news site, Motherboard, which said a cyber criminal known as
Peace was selling the data of about 200 million Yahoo users, but
did not confirm its authenticity.
The Motherboard report was published a week after Verizon
announced its deal with Yahoo.
Peace was selling that data for 3 bitcoin, or around $1,860,
according to Motherboard. Details that were possibly compromised
include user names, birth dates, some backup email addresses and
scrambled passwords, Motherboard said.
Gartner analyst Avivah Litan said that even though a breach
had not been confirmed, all Yahoo users should assume their
credentials were stolen and change their passwords.
Stolen passwords are valuable to cyber criminals, she said,
because consumers often reuse passwords. Criminals use stolen
credentials for so-called "credential stuffing" attacks, which
Litan said have surged over the past 18 months.
In such attacks, criminals use automated programs to cycle
through stolen user IDs and passwords and log into personal
accounts on sites such as banks, travel firms and online gaming
firms.
While the average success rate is only 1 to 2 percent,
consumers stand to lose money, credit card data, frequent flyer
points and cash stored on merchant wallets, she said.
(Reporting by Jim Finkle in Boston; Additional reporting by
Aishwarya Venugopal in Bengaluru and Eric Auchard in Frankfurt;
Editing by Ted Kerr and Bernadette Baum)