The massive 2014 breach disclosed today by Yahoo is just one of three reported hacks from the past four years. As noted previously, there was also a 2012 breach of 200 million accounts, and Emptywheel has pointed to an individual account hacked earlier this year.
There’s something very unsettling about the way tech companies are responding to these big security breaches: none of them informed their users with anything resembling a sense of urgency. Dropbox waited four years to tell users about their 2012 hack, and only did so after lying about why they were resetting users’ passwords. Tumblr waited three years.
And then there’s Yahoo. They didn’t tell users about the breach in 2012, even after Vice’s Joseph Cox asked about it earlier this year. Today, Kara Swisher and Kurt Wagner of Recode have a comment from Verizon — who are currently in the process of acquiring Yahoo — stating that they didn’t know about the 2012 breach until two days ago, and they only discovered the 2014 hack while investigating the one from 2012.
All of these responses are incredibly irresponsible. Nobody should be finding out that their personal details have been floating around underground message boards for years. These breaches ought to have been publicly acknowledged immediately.