Yahoo Inc this week will disclose a data breach that compromised the details of several hundred million users, technology news site Recode reported on Thursday, citing unnamed sources familiar with the company’s plan.
Reuters was not able to confirm the report. It was not clear how such a disclosure might affect Yahoo’s plan to sell its email service and other core internet properties to Verizon Communications Inc for $4.8 billion.
Representatives at Yahoo and Verizon could not be reached for comment. Shares of both companies were up 0.5 percent in late morning trading, compared with a 0.6 percent increase in the Nasdaq Composite index, reports Reuters.
A Yahoo logo is seen on top of the building where they have offices in New York City
If a breach is confirmed, Yahoo would likely force users to change their passwords, said Linn Freedman, a privacy attorney with Robinson & Cole LLP.
But Yahoo would likely not need to notify individuals affected via mail or provide them with credit monitoring services if the scope of the breach is limited to what has been described in press reports.
“If no financial information or Social Security numbers are involved, then most state laws would not require notification and credit monitoring would not be applicable,” Freedman said.
Recode’s report follows an Aug. 1 story on the technology news site, Motherboard, which said a cyber criminal known as Peace was selling the data of about 200 million Yahoo users but did not confirm its authenticity. The Motherboard report was published a week after Verizon announced its deal with Yahoo.
Peace was selling that data for 3 bitcoin, or around $1,860, according to Motherboard. Details that were possibly compromised include user names, birth dates, some backup email addresses and scrambled passwords, Motherboard said.
Gartner analyst Avivah Litan said that even though a breach had not been confirmed, all Yahoo users should assume their credentials were stolen and change their passwords.
Stolen passwords are valuable to cyber criminals, she said, because consumers often reuse passwords. Criminals use stolen credentials for so-called “credential stuffing” attacks, which Litan said have surged over the past 18 months.
In such attacks, criminals use automated programs to cycle through stolen user IDs and passwords and log into personal accounts on sites such as banks, travel firms, and online gaming firms.
While the average success rate is only 1 to 2 percent, consumers stand to lose money, credit card data, frequent flyer points and cash stored on merchant wallets, she said.