In September, Verizon admitted that hackers had stolen sensitive information from at least 500 million Yahoo accounts in late 2014. Compromised info included "names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."
At the time, the Yahoo hack was considered the largest data breach in history, and the company's protracted silence on the matter only perpetuated claims that CEO Marissa Mayer didn't prioritize security. Yahoo blamed a state-sponsored attacker, but even that is in question, following an investigation by security company InfoArmor that found for-hire hackers were involved.
Yahoo has yet to explain why it waited two years to inform customers about the massive data breach. However, with a Verizon sale looming, it's clear why executives decided to air their dirty laundry when they did, rather than be outed by the vetting process.
Yahoo CEO Marissa Mayer (Image credit: Simon Dawson / Bloomberg via Getty Images)
Just weeks after admitting to the 2014 hack, Yahoo found itself wrapped up in another scandal involving stolen information -- but this time it was accused of aiding a cyberattack against its own customers.
On October 4th, Reuters reported that Yahoo had cooperated with US government requests to scan all incoming messages for hundreds of millions of Yahoo Mail accounts in 2015. The report claimed Yahoo built custom software to help the NSA and FBI search for specific information in the collected emails. This apparent cooperation with government officials was in direct opposition to the hard-line anti-surveillance stance held by Google and other major technology companies.
The next day, Yahoo sent out a statement saying, "The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems."
The New York Times followed up with news that Yahoo was attempting to comply with a secret court order made under the Foreign Intelligence Surveillance Act, and that it had modified an existing malware-scanning system for government use. Soon after, three former Yahoo employees claimed the scanning program was embedded deeper in the company's systems than first cited; they said it was enabled via a module attached to the Linux kernel itself. Additional reports claimed that Yahoo's security team under former head Alex Stamos had shut down the system as soon as they discovered it.
Yahoo didn't help matters when it disabled automatic email forwarding in the midst of public uproar about its surveillance practices, effectively stopping exasperated Mail users from leaving the service. A few days later, mail forwarding was reinstated alongside a sterile and half-convincing statement about scheduled maintenance.
Vacancy at Yahoo (Image credit: Schill / Flickr)
And then, like an especially bleak chapter in A Series of Unfortunate Events, things got even worse for Yahoo. In the middle of December, the company announced it had been the victim of another, even larger cyberattack back in 2013. Yahoo confirmed that hackers stole information from more than 1 billion accounts, including "names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers." Yes, more than 1 billion accounts.
If the 2014 Yahoo breach was the largest cyberattack in history, the 2013 hack blew that record out of the water. Yahoo shared a blog post about the issue, but no executives stepped forward to offer context or comfort for concerned users.
It was and remains difficult to discern the truth behind the spying situation, the hacking campaigns or any of Yahoo's smaller recent missteps, considering the company's continued silence on its scandals. However, ignoring these problems doesn't make them disappear. In early October, before news of the 2013 hack went public, Verizon was already trying to negotiate a $1 billion discount on its acquisition, according to the New York Post. In fact, the entire sale could be in jeopardy.
This is how Yahoo will be remembered in 2016: as a company that remained silent as the walls around it crumbled. Though the year hasn't been entirely horrible for Yahoo, repeated missteps in security and communication have already cost the company its reputation. By early next year, these ill-fated decisions could end up costing stakeholders much more. Like $1 billion more.
Check out all of Engadget's year-in-review coverage right here.