Yahoo Fizzles With History’s Biggest Data Breach

As September is gearing up to go into its last week, the waning warm days of the summer season certainly went out with a bang — care of the largest data breach ever recorded.

But more on Yahoo’s woes in a minute — let’s start out with the good news this week, shall we?


Stripe’s Instant Payouts

Stripe offered a big upgrade this week to its marketplace customers. Now open for business, Instant Payouts was built for marketplaces and their 1099 workforces. Functioning properly, contract workers can be paid “within minutes” directly to a Visa or Mastercard debit card.

The Instant Payouts service isn’t entirely new to Stripe. It’s been piloting the service with select customers for about a year — most notably, Lyft, which disclosed last week that it has paid $500 million to drivers through the scheme so far. Instant Payouts is now an option for any marketplace (starting first in the U.S.) that already uses Stripe’s Connect basic payments API. Stripe makes money when the transaction is made — in this case, Stripe takes 1.5 percent of the payout amount, with a minimum fee of $0.50. The upgrade is made possible by two separate deals with Visa and Mastercard that will see Stripe add both Visa Direct and Mastercard Send to its marketplaces so that users can get paid faster to their debit cards. Big sizzle for Stripe, which is now able to offer payments slightly faster than Venmo Payouts, which will still reportedly take a day.

Same Day ACH Is Here
It’s been a long road to ubiquitous, faster payments in the U.S. But in less than 18 months after NACHA members approved Same-Day ACH functionality for all of the banks in the U.S., Phase 1 — credits — is now live in every single financial institution. Three settlement windows each day will make settlement and posting of Same Day ACH payments possible. The upgrade to the ACH rails is about making payments faster, but also about moving those payments with the information flow that removes the friction from payments. Faster with ubiquity — a major sizzle for banks, businesses and consumers.

Faster and smoother, in fact, was the theme du jour in the sizzle section this week. The fizzles, not so much…


Wells Fargo
One almost felt bad for Wells Fargo CEO John Stumpf when Elizabeth Warren publicly called him “gutless.” Sure, Wells Fargo got caught red-handed defrauding and breaching the trust of its customers by creating 2 million fake accounts, but his 8 minute trashing by Sen. Warren was harsh.

Two things, however, make it hard to feel all that bad for Stumpf during Tuesday’s hearing — because while Senator Warren was the most colorful, all the Senators from both sides of the aisle wanted to know just what exactly went so wrong at Wells. Stumpf clarified that Wells had known about the falsified accounts problem for years — and had been trying to fix it, but just couldn’t figure out how. Disturbing. Wells also didn’t formally change their incentive structure — where employees were bonused for signing up customers for multiple accounts and fired for not hitting quotas — until this year. Doubly disturbing.

The Senators also had many questions about Carrie Tolstedt — the recently retired, much lauded and now very rich community banking head that ran the division where all of the fraud took place. Stumpf was quick to point out it fired 5,300 or so branch level employees directly responsible for the fraud – but Senators were extremely curious as to why Wells’ management and executives who oversaw the mess has been spared the purge. Tolstedt, who made $124M, was spared her job, while employees making $12/hour were sacked. Many Senators wondered if Wells was going to get that money back – which, of course, raises a very slippery slope for everyone. No one wants to see a world in which the government decides they don’t like what you do, and then decides to claw back your wealth.

It was a dispiriting time – for Wells, for Stumpf, for banking and bankers, and for business practices in general. Wells has managed to give cross selling a bad name and the hook that Congress has been waiting for to drag big banks thru the mud. The real losers? The shareholders and the employees. Somehow fizzle doesn’t quite seem strong enough.

Retail’s Labor Force
So as it turns out that while a good economy has a lot of advantages for retailers — it also comes with one big problem, at least in 2016. With unemployment at 4.9 percent, fewer workers are looking to take part-time seasonal work at a minimum wage rate of pay. Retailers are already experiencing worker shortages pre-holiday, and analysts are increasingly concerned that some retailers just won’t be able to totally fill the gap. Retail as a sector needs 738,800 seasonal workers for the winter holidays. That is about level with last year — though the balance of those jobs is shifting away from the showroom floor and more toward backend distribution in warehouse and fulfillment centers. That itself is part of the problem, according to analysts — those distribution center jobs are harder to fill given that they are more physically demanding. Retailers are trying to wind back this fizzle. Target is hosting mass hiring events nationwide and recently hosted its annual pep rally, Macy’s is celebrating September 30th as a national hiring holiday and Toys”R”Us has introduced new incentives this year, including increased pay and bigger employee discounts. Walmart has also embraced the money route, with both higher pay and quarterly bonusing for store performance. And the need to keep staff can easily be read in the bonus sum — Walmart has just paid out around $200 million in extra compensation to its workers. A good clerk is getting harder to find — and more expensive to keep on staff.

The Fizzle Of The Week/Decade: Yahoo’s Super-Sized Hack

And to think — they said that Yahoo would never be #1 at anything ever again.

Sure, the biggest data breach in the digital era is obviously not how they wanted to do it, and accidently letting half a billion customers’ worth of information out into the digital ether for auction on the open market is not the curtain call anyone would want to see. And the curtain call was inevitable — the end has been upon Yahoo since July, when it became public knowledge that Verizon would be buying for ~$4 billion the core assets of a firm whose market cap was once $125 billion. But there is something to be said for going out with bang instead of whimper — and you have to hand it to Yahoo — they surely managed one heck of a bang on their way out the door.

What we know as of now is that the hack grabbed data like email addresses, dates of birth, telephone numbers and encrypted passwords — but not payments information. But who needs payment information when you have all of that!

All in all, 500 million accounts went out the door and into the hands of an as-of-yet unknown hacker or group thereof. One possibility is a hacker calling himself “Peace” who identified himself over the summer as the thief behind a 200 million account boosting hack. Yahoo acknowledged the claim at the time — but did not confirm or deny it — noting only that it was under investigation. They didn’t tell their users to update their passwords at the time — which in retrospect might have been worth doing. Then again, since this massive breach stems from an incursion into Yahoo’s systems in 2014, changing one’s passwords a few months ago likely would have fallen into the too little, too late category anyway.

Yahoo has not confirmed that “Peace” is the hacker behind the 500 million account hack — at present they are alleging that the hack was “state sponsored” in some way. Specifically, Yahoo’s contention is that while investigating Peace’s claim, it concluded the information for sale wasn’t legitimate, but the company decided to broaden its probe, eventually determining that it had been breached by “a state-sponsored actor.”

They haven’t said what state is the sponsor — and as of yet, many are dubious on that claim. Jeremiah Grossman was one of Yahoo’s infosec officers in the early 2000s, today he is Head of Security Strategy at SentinelOne.

In an interview with PYMNTS after the news broke, he noted that despite their claims, what happened at Yahoo doesn’t much resemble a state-sponsored hack. It’s not that there aren’t reasons a state-sponsored team might what to hack firms like Yahoo — according to Grossman, Yahoo falls into a category of apps that is broadly useful.

“If you are a nation state and want to determine if any of your domestic spies have been discovered, you put taps on Google, Yahoo, Microsoft etc. rather than government networks. Of course, there is always the motivation to deanonymize political dissidents.”

But because government groups want to use that information for as long as possible, they don’t advertise that they have it, Grossman said, and that’s not at all what happened at Yahoo.

“State-sponsored adversaries don’t typically publicly share stolen data or sell it, like profiteer hacker ‘Peace of Mind.’ Peace of Mind was all about selling stolen Yahoo account data, so it’s unlikely he was state-sponsored.”

Peace might be a free agent, Grossman noted, but that has a rather unfortunate consequence. Either it’s the world’s biggest coincidence that Yahoo had a troll bragging about a giant hack that never happened while at the same time they were really being giantly hacked by someone else.

Or, Grossman notes, there is a simpler explanation.

“We’re looking at two different Yahoo breaches with two different hacking groups in their system.”

And while that may sound even less likely, Grossman notes again it is not impossible. Nor, he notes, is it all that surprising that this breach happened at all — as someone with insider knowledge of Yahoo’s systems, Grossman pointed out something that few have observed. Yahoo! is an unbelievably large and hard to defend target.

“[Yahoo] has huge and sprawling networks with hundreds of thousands of hosts,” Grossman explained. “That’s a lot of attack surface for anyone to effectively protect all the time. So, it’s unsurprising when breaches, even of this magnitude, take place. Yahoo certainly isn’t the first, and they won’t be the last.”

But it will at least be the last breach for Yahoo — since technically speaking, Yahoo will only be in existence for a short time longer because Verizon bought it in July. Verizon has confirmed that it had been notified of Yahoo’s security incident within the last two days but has “limited information and understanding of the impact.”

“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” Verizon said.

And while this is not great news — and the meeting this week between the two firms’ senior officials to ensure a smooth transition will likely be a bit tense this week — the experts also mostly agree this current mess will not stop the deal from going through. Like Grossman, everyone basically understands the new shape of the market.

“Data breaches have become part of doing business now,” noted B. Riley & Co. analyst Sameet Sinha.

He further noted that Microsoft Corp. agreed to buy LinkedIn for $26.2 billion in June, one month after LinkedIn notified users of the broader scope of its 2012 breach.

Not everyone is quite so bullish — Stephen S. Wu, a technology lawyer at the Silicon Valley Law Group, agrees the deal is still going to happen — but Verizon could use this and language in the agreement about data breaches as leverage to negotiate an even more fire sale price for Yahoo.

As recently as even five years ago it would have been hard to imagine Yahoo selling for less than $10 billion — let alone less than $4 billion, though that seems to be coming next. Also likely to follow are government inquiries and lawsuits and hopefully some more details about why Yahoo thinks they were the victim of a state-sponsored attack.

But while those things remain in the ether, one thing is very clear. With the biggest breach and a strange sounding claim explaining it — Yahoo is the uncontested fizzle of the week.


Featured PYMNTS Study: 

With eyes on lowering costs to improving cash flow, 85 percent of U.S. firms plan to make real-time payments integral to their operations within three years. However, some firms still feel technical barriers stand in the way. In the January 2020 Making Real-Time Payments A Reality Study, PYMNTS surveyed more than 500 financial executives to examine what it will take to channel RTP interest into real-world adoption. Here’s what we learned.

Click to comment