As of mid-February, the plan for Verizon Communications to acquire a majority of Yahoo’s web assets is still on, despite the announcement of Yahoo having suffered two massive breaches of customer data in 2013 and 2014. The sale price, however, has been discounted by $350 million, and Verizon and Altaba Inc. have agreed to share any ongoing legal responsibilities related to the breaches. Altaba is the entity that will own the portion of Yahoo that Verizon is not acquiring.
Following the disclosure of these breaches, Yahoo was highly criticized for its lax stance on cybersecurity. For example, a team from Venafi Labs looked at the cryptographic posture of external Yahoo web properties and claims to have discovered that 27% of the company’s security certificates had not been reissued since January 2015. According to Venafi, replacing certificates after a breach is a critical mitigation practice; unless certificates are replaced, breached organizations cannot be certain that attackers do not have ongoing access to encrypted communications. In addition, Venafi says 41% of the external Yahoo certificates discovered use SHA-1, a hashing algorithm that is no longer considered secure. Apparently, Yahoo isn’t even attempting to close the barn door after the horses fled.