Yahoo's admission that a "state-sponsored actor" successfully stole account information related to 500 million of users from its computer networks in late 2014 could have serious implications for the deal between the internet firm and its future parent company, Verizon.
In July, the US telecoms giant announced it had reached an agreement to buy Yahoo for a cash deal worth $4.8bn (£3.6bn, €4.1bn), with the deal expected to be completed in the first three months of next year.
Shortly after the sale was agreed, Yahoo revealed it was investigating a data breach after hackers claimed to have gained access to 200 million accounts. However, the issues turned out to be a lot bigger than initially thought and the internet giant admitted on Thursday (22 September) the number of accounts affected was more than double the original estimate.
"A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor," the company said in a statement.
"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network."
The key issue as far as both companies are concerned is to establish whether Yahoo was aware of the data breach before finalising the deal. A clause in the agreement, which was signed on 23 July, stated that there had not been any incidents or allegations of hacking or security breaches "that could reasonably be expected to have a Business Material Adverse Effect".
Verizon said it was only made aware of the breach earlier this week, adding it had "very limited information" over the incident. "Within the last two days, we were notified of Yahoo's security incident," a Verizon spokesperson was quoted as saying by the CNN. "We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact."
Potential damage to Yahoo's reputation
Under the terms of the merger, Verizon is understood to be unable to walk away from the deal because of changes in external circumstances or in case Yahoo misses its financial targets. However, the data breach causes potentially irreparable damage to the latter's reputation and trust.
"Breaches are damaging and expensive, as Yahoo has discovered," Chris Petersen, CTO of security company LogRhythm told CNBC. "The ramifications of a successful attack are far-reaching, and could potentially impact their deal with Verizon."
SunTrust's analyst Robert Peck said that while the data breach might not be enough to completely derail the deal, it could see up to $200m being knocked off the final closing price.
Chris Hodson, chief information security officer for Europe, Middle East and Africa at web security provide Zscaler, added Yahoo would have a lot of explaining to do to shed light on how the data was breached. "With no technical details included in Yahoo's report about how the data was exfiltrated, just that it was, it's impossible to assess credibility of the 'state sponsored' claim without this," he said.
"In this instance, we can only speculate that the 'state sponsored actor' claim was made with a view to placating the general public. The act of stealing heaps of personal information but leaving financial credentials untouched, also highlights the motives of the assumed 'state sponsored actors' was not immediate financial fraud."