"Breaches are damaging and expensive, as Yahoo has discovered," said Chris Petersen, CTO of security company LogRhythm. "The ramifications of a successful attack are far-reaching, and could potentially impact their deal with Verizon."
Yahoo will also suffer from lost productivity, inconvenience to its customers, and potentially the permanent loss of credibility, said Petersen.
The biggest question is when Yahoo found out about the breach and how long it waited to disclose it publicly, said Keatron Evans, a partner at consulting firm Blink Digital Security. (Kara Swisher at Recode reported that Verizon isn't happy about Yahoo's disclosures about the hack.)
Verizon-owned AOL issued a statement earlier Thursday.
Within the last two days, we were notified of Yahoo's security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.
It is possible that Yahoo has not known about the breach very long — on average, it takes a company as much as 18 months for a company to discover a breach, according to the Verizon Data Breach Report. "Which is scary, but it's true," said Evans.
"If we find out that they knew about this breach two years ago, then there's going to be some hard questions about why they didn't disclose it," he said.
If investigators find that Yahoo failed to comply with required reporting laws governing public companies and those that handle payments information, the situation will quickly escalate, said Evans.
"When it's something intentional, and there was obvious intention to defraud, then that's more impetus for congressional hearings," he said.
Yahoo has said it believes the attack was state sponsored, and is working with authorities in an ongoing investigation. The FBI said in a statement that it is aware of the matter and is investigating it.
The longer it takes for a company to detect and contain a data breach, the more it costs to resolve, a Ponemon Institue and IBM study found. Breaches identified in less than 100 days cost companies an average of $3.23 million, while breaches discovered after the 100 days added around $1 million to the tab, averaging $4.38 million.
Yahoo is now working to improve its security protections and threat detection systems, chief security officer Bob Lord said in a message on Thursday. Users who have not updated passwords since 2014 should do so immediately, he said. They should also update security questions, adopt two factor authentication and be on the look out for suspicious messages or other activity.
Still, much of that may be too little, too late.
"Yahoo has been doing a bit of closing the barn door after the horses are gone by recently encouraging users to use an alternative factor to the password with what they call Yahoo Account Key," said Corey Williams, an executive at cybersecurity company Centrify.
Yahoo is one of many companies that do not mandate particularly stringent password requirements — like two-factor authentication — though security experts recommend users adopt them.
"Businesses that are waiting until they after they are breached to offer more secure access control than a simple username and password, their judgement and trustworthiness certainly should be called into question," said Williams.
One thing Yahoo has going for it is that breaches have become so common that they don't necessarily arouse the same fear and outrage they once did.
"The response is almost routine," said Ray Rothrock, CEO and chairman of RedSeal. "Say you are sorry, suggest that users change their passwords, offer some form of identify and credit monitoring, and commit that it will never happen again."
To fulfill that commitment, Yahoo needs to get inside the heads of the hackers and do a better job of monitoring its own network and making sure it remains resilient to hack attacks and can withstand further intrusions, said Rothrock "because it will happen again."
Buried at the bottom of the company's most recent quarterly report is a standard acknowledgement of the potential risks associated with a hack attack.
"Despite our implementation of network security measures, our servers are vulnerable to computer viruses, malware, worms, hacking, physical and electronic break-ins, router disruption, sabotage or espionage, and other disruptions from unauthorized access and tampering, as well as coordinated denial-of-service attacks," the statement reads. "We may not be in a position to promptly address attacks or to implement adequate preventative measures if we are unable to immediately detect such attacks.
Here's the part investors — and Verizon — should now be paying attention to.
"Such events could result in large expenditures to investigate or remediate, to recover data, to repair or replace networks or information systems, including changes to security measures, to deploy additional personnel, to defend litigation or to protect against similar future events, and may cause damage to our reputation or loss of revenue," Yahoo warned.