The news keeps getting worse for Verizon’s acquisition of Yahoo. First, shortly after they announced the terms of a deal, Yahoo came out with news that they had been breached, and that they knew about it as early as 2014. Now, not only does news of a second breach surface, but that breach is both much larger – affecting up to a billion accounts, what many are calling an equivalent of an ecological disaster for the internet – but that they knew about this larger one as far back as 2012 or 2013. Now there is talk of lowering the acquisition price or even cancelling the deal altogether.
While this is not the first time information security incidents have affected an M&A deal, it is certainly the most high profile one, at least in recent history. The potential liabilities from such an enormous compromise are obvious, and are certainly cause for concern from the acquirer’s, in this case Verizon’s, perspective.
The historic scale of the breach got us here at Terbium thinking, how could dark web data intelligence have helped Verizon avoid the potential embarrassment and liability around such an acquisition. Could they have known that there was a potential problem before they finalized the terms, thus preventing the chaos that has ensued around the deal now that these revelations have come to light?
We took a look through some of our historic Matchlight data to see if there were any early indicators, and it turns out there were. This is a plot of yahoo.com email addresses crawled by Matchlight starting in September of 2015 and going through November of 2016.
You can see two interesting groups of spikes. The second one, starting in September of 2016, coincides with Yahoo’s public disclosure of the breach, and very likely represents many of the “hangers on” on the dark web pasting fake or old data and taking credit for the breach. This happens a lot; we saw fake and old government breach data on Hell forum shortly after news of the OPM breach broke, for example.
But the more interesting spike comes earlier in the year, starting in November of 2015, peaking in January, and continuing through the Spring of this year. During this time, for much less obvious reasons, yahoo.com email address spiked in large volume on the dark web for a number of months, indicating that there were many, many compromised accounts available for sale and speaking to a larger issue with Yahoo’s data integrity.
The existence of this spike could have been an early indicator of lax security at Yahoo, and could have been useful in the M&A negotiations. During the April - August lull in the activity was the time when the acquisition offers started coming in and when the original terms of the Verizon deal started to become finalized. Had Verizon used data intelligence to investigate the dark web footprint of their acquisition target’s users during that timeframe, they would have uncovered these indicators of compromise and could have investigated further before finalizing and announcing the terms, thus avoiding the embarrassment and chaos that has ensued since news of these breaches broke.
Dark web data intelligence has many uses beyond simply data breach detection. In this example, it could have further informed an M&A decision. Generally, this falls into a broader category of using data intelligence to get ahead of news cycles by gathering and analyzing information directly from the dark web.