The Yahoo Breach, or How Dark Web Data Intelligence can Inform M&A Decisions

Next: Seasons Greetings from the Dark Web
Previous: This Week: TheDarkOverlord Expands His Coverage
The animals are always the first to know. Matchlight is never far behind.
Writer Danny R.
December 19, 2016

Danny is one of the founders of Terbium and is known around the office for his extended soliloquies and pontifications about the security industry. He blogs about global trends and the importance of knowing where one's data is on the dark web.

The news keeps getting worse for Verizon’s acquisition of Yahoo. First, shortly after they announced the terms of a deal, Yahoo came out with news that they had been breached, and that they knew about it as early as 2014. Now, not only does news of a second breach surface, but that breach is both much larger – affecting up to a billion accounts, what many are calling an equivalent of an ecological disaster for the internet – but that they knew about this larger one as far back as 2012 or 2013. Now there is talk of lowering the acquisition price or even cancelling the deal altogether.

While this is not the first time information security incidents have affected an M&A deal, it is certainly the most high profile one, at least in recent history. The potential liabilities from such an enormous compromise are obvious, and are certainly cause for concern from the acquirer’s, in this case Verizon’s, perspective.

The historic scale of the breach got us here at Terbium thinking, how could dark web data intelligence have helped Verizon avoid the potential embarrassment and liability around such an acquisition. Could they have known that there was a potential problem before they finalized the terms, thus preventing the chaos that has ensued around the deal now that these revelations have come to light?

We took a look through some of our historic Matchlight data to see if there were any early indicators, and it turns out there were. This is a plot of email addresses crawled by Matchlight starting in September of 2015 and going through November of 2016.


You can see two interesting groups of spikes. The second one, starting in September of 2016, coincides with Yahoo’s public disclosure of the breach, and very likely represents many of the “hangers on” on the dark web pasting fake or old data and taking credit for the breach. This happens a lot; we saw fake and old government breach data on Hell forum shortly after news of the OPM breach broke, for example.

But the more interesting spike comes earlier in the year, starting in November of 2015, peaking in January, and continuing through the Spring of this year. During this time, for much less obvious reasons, email address spiked in large volume on the dark web for a number of months, indicating that there were many, many compromised accounts available for sale and speaking to a larger issue with Yahoo’s data integrity.

The existence of this spike could have been an early indicator of lax security at Yahoo, and could have been useful in the M&A negotiations. During the April - August lull in the activity was the time when the acquisition offers started coming in and when the original terms of the Verizon deal started to become finalized. Had Verizon used data intelligence to investigate the dark web footprint of their acquisition target’s users during that timeframe, they would have uncovered these indicators of compromise and could have investigated further before finalizing and announcing the terms, thus avoiding the embarrassment and chaos that has ensued since news of these breaches broke.

Dark web data intelligence has many uses beyond simply data breach detection. In this example, it could have further informed an M&A decision. Generally, this falls into a broader category of using data intelligence to get ahead of news cycles by gathering and analyzing information directly from the dark web.

analysis June 24, 2019
New Research: Terbium Labs Uncovers Pervasive Links Between Fraud and Transnational Crime

Terbium Labs investigated the links between payment fraud and serious transnational crime. This research begins to fill a gap in understanding about the use of fraudulent financing in some of the most heinous crimes...

analysis April 17, 2019
Terbium Labs Investigates Dark Web Fraud Guides for an Inside Look on Cyber Crime

With our latest research, Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data, Terbium Labs investigates dark web fraud guides to create a detailed, first-hand account of the illicit...