While its users are still digesting the news, the massive breach could also have bigger implications and compromise Yahoo’s recent agreement with Verizon, its future parent company, costing it hundreds of millions of dollars.
Verizon confirmed that it will buyout Yahoo for $4.83bn (£3.6bn) in cash in July marking the end of the six-month sale process and the end of an era for a company that once defined the internet. The deal was originally expected to close in the first quarter of 2017.
“For Verizon this is a big problem. They are attempting to acquire a company that is now publically announcing it suffered a massive breach. So they now have to factor in the cost of investigating the breach, the cost of reassuring all of Yahoo’s users that they have been protected and marketing that,” Michael Borohovski, co-founder of Tinfoil Security, told Bloomberg.
Verizon could claim a material breach for the data hack, by arguing that the event has caused irreparable harm to Yahoo in terms of customer trust and usage.
Robert Peck, an analyst with SunTrust, estimates the breach could shave $100m to $200m off the closing price of the deal.
"As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data. Because the ramifications of data breaches are often felt in the future, they will have to consider the implications of any customers who can prove identity issues caused as a result of this particular breach if they are the new owners," Mark James, security specialist at ESET, said.
The biggest threat to the agreement relates to when exactly Yahoo found out about the breach and how long it waited to disclose it publically.
A clause in the merger agreement signed on 23 July states that there had not been any incidents or allegations of hacking or security breaches “that could reasonably be expected to have a business material adverse effect”.
However, a few days after the deal was signed, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts. At the time, Yahoo declined to say whether it first learned of the hack before or after that deal was announced, according to the Washington Post.
On Thursday, it turned out the breach was much worse than expected as 500 million user accounts were stolen by a “state-sponsored” attacker, according to the company.
In an official statement, Verizon said it was notified of Yahoo’s security incident only two days ago.
"Within the last two days, we were notified of Yahoo's security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," Verizon said in a statement.
Keatron Evans, a partner at consulting firm Blink Digital Security told CNBC: "If we find out that they knew about this breach two years ago, then there's going to be some hard questions about why they didn't disclose it.”
"When it's something intentional, and there was obvious intention to defraud, then that's more impetus for congressional hearings."
Yahoo said it is currently working with law enforcements as it sought to respond to the attack.
The company published a set of security advices on its Tumblr. They include suggestions that users avoid clicking on suspicious links and be cautious about unsolicited emails and other communications.
The hack is similar to the one experienced by Myspace earlier this year.
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies