Thanks for nothing, Yahoo

What a spectacular mess, Yahoo. At least 500 million accounts across your myriad services have been hacked. Data ranging from phone numbers to date of birth, email addresses, phone numbers and security questions (but, mercifully, not decrypted passwords) have been in the hands of black hats for not a day, a week or even a month, but five months or more.

You left us all hanging out there is the wind for FOUR MONTHS, Yahoo. What the hell?!

The exclamation point at the end of the company's official name is supposed to symbolize action, but what Yahoo did over the past four months is the opposite of action.

They waited and wondered and left all of us holding the hacked data bag. For that reason, Yahoo forfeits the exclamation point.

If, upon learning this Yahoo data breach news you are not as outraged as I am, you should be. Yahoo is a vast collection of sites and services including Yahoo Mail, Flickr, Tumblr, domains through Yahoo Aabaco Small Business, Yahoo Finance, Yahoo Messenger and more. Suffice to say, if you have 500 million users, you’re big and the impact of a data breach is potentially massive.

Even if your various Yahoo accounts show no signs of a breach, that doesn’t mean they weren’t hacked or that the information has not been used. People with your name, phone number, date of birth and answers to your security questions(!) could have enough to do some triangulation and certainly have engaged in some identity theft by now. Again, you might have a disreputable doppelgänger somewhere and not even know it. The key to good identity theft is to create fake profiles of people and do just enough to not get caught, but still make it profitable for the identity thief.

Also, even if you haven’t used many of your Yahoo services in a while, if the data in the breach is accurate, you’re still at risk.

Before you or I go any further, though, let’s pause a moment to change all of our freaking Yahoo passwords.

Okay. With that all done, we can dive into the other burning questions.

It took too long

Why did Yahoo wait all these months to confirm that the data was real?

Back in June, reports emerged that the data for as many as 200 million Yahoo accounts was for sale on the Dark Web. A hacker ironically named “Peace” claimed responsibility and, according to The Hacker News, was selling it all for 3 bitcoins (almost $2,000).

Yahoo acknowledged the existence of the possible breach, but would not verify that the data was in fact theirs (or, really, ours). In a way, I can understand why Yahoo didn’t come right out and say they were hacked. Opening up about the hack might have derailed its long sought strategic exit.

Back in March, Yahoo set a deadline for all suitors interested in snapping up its web and associated businesses. By the spring, the field had narrowed with Verizon leading the pack. Yahoo closed the $4.83 billion deal with Verizon in late July, a little more than a month after news first broke of the Peace Hack and Yahoo’s potential connection.

Revealing publicly that all that data (and more) was actually there could have potentially derailed the deal or at least delayed it significantly. I wouldn’t expect anyone to actually back out of a deal with a company that’s been hacked. If that were the benchmark for deal-making, it’s unlikely any deals would be made.

Excuses

In Thursday’s Yahoo press release on the massive data breach, it repeatedly calls the investigation “ongoing,” as if to say, “We couldn’t notify you because the authorities hadn’t actually figured it out yet."

I don’t buy this. The data was out there on the Dark Web for months and simply had to be matched against Yahoo’s own actual user data -- a match that probably could have been made in hours or at least days. Even if it took weeks, does anyone believe it would have taken as many as 16 weeks?

In the same release, Yahoo also seems to try and hide behind a “this is happening everywhere defense.” It’s true, cyber hacking is nearing epidemic and scary proportions. Yahoo also claims to be proactive, saying that it’s had a program in place since late last year to detect when a “state-sponsored actor has targeted an account.” So far, they have notified 10,000 users of such attempts.

This little bit of self-congratulatory detail, though, is all the more galling when compared to the half a billion Yahoo customers who have not, until now, been notified.

I asked founder and CEO of Cybersecurity Ventures Steven Morgan if I was being unfair to Yahoo. "In my opinion it took four months for Yahoo! to think about how to deal with the reputational damage that comes with the hack. They should have a good PR plan by now," he wrote in an email.

Let this serve as a warning to all other sites and online services that have not stepped forward to claim hacked data on the Dark Web as their own. “The investigation is ongoing” is not an excuse. We demand an abundance of caution. Tell us even when there’s the smallest possibility you were hacked and recommend we change our passwords today. We’ll complain, be annoyed and drag our heels, but we will act and, some day, thank you.