Yahoo users might be resetting their passwords, but analysts say Verizon is unlikely to hit the "delete" button on the troubled internet company's acquisition.
"When you have a breach of this magnitude… it certainly has to give Verizon some pause," said Jeff Pollard, a principal analyst at Forrester. "You can guarantee some people are breaking out some spreadsheets right now."
Experts do say the revelation that the accounts of more than 500 million Yahoo users were breached — by what the company said it "believes is a state-sponsored actor" — might delay the deal, as Verizon evaluates what security or legal exposure it might face.
It's also all but a foregone conclusion that CEO Marissa Mayer won't be around for long after the purchase is finalized.
"If there was any type of inkling that she might stay on even for a couple months more, on a transition basis, I think that timeline just got shortened," said Cindy Zhou, vice president and principal analyst of digital marketing and sales effectiveness at Constellation Research. "This is such a black eye that any chance of a longer transition timeline is over and done with."
Yahoo Users Might Ditch Their Accounts
Although ordinary Americans have become largely inured to announcements about data breaches since they occur with such frequency, the fact that this incident included potentially revealing information like phone numbers and security-question answers raises the specter of a ripple effect of identity theft and fraud.
Because people tend to recycle a few passwords over multiple accounts, it's possible that the exposed Yahoo information could give a hacker the information needed to gain access to credit card, bank or payment accounts.
This could alarm users enough that they drop Yahoo entirely, and it also could have legal ramifications for Verizon after it takes over Yahoo.
Pollard said Verizon's long-term plan to transition to being more of a content provider will probably keep it from walking away entirely. "If they were to abandon Yahoo, what else is out there for them?" he said.
Verizon, which announced it would buy Yahoo for $4.8 billion back in July, remained conspicuously quiet. It's possible that purchase price could be up in the air now, Zhou said. If user numbers plummet, it's likely that Verizon would have a contractual opening to go back and renegotiate.
The company seemed to leave the possibility open in the brief statement it issued, which said in part, "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities."
That's probably their best strategy for now, Zhou said. The smart thing for Verizon to do, from a PR perspective, is to really stay away from it," she said. "It wasn't on their watch."
Did Verizon Practice Due Diligence?
The discovery likely will raise questions about how much scrutiny Verizon gave Yahoo's security practices and policies, which could prompt it to hit the brakes while it reevaluates those, said Gerald C. Meyers, a professor of management at the University of Michigan graduate business school and a consultant who specializes in corporate crisis management.
"I would even question whether there was full disclosure," he said, adding that Verizon will need to proactively prove to shareholders that it knows everything there is to know about what's under the hood at Yahoo. "I would question Verizon's due diligence," he said.
Although this is likely to cause a headache for Verizon, the fallout would have been worse if the discovery of the breach happened after the deal was done, said Richard Kramer, managing director of Arete Research. "Better that it's out now and done when the company is to be acquired as opposed to after Verizon acquires it," he said.
Kramer also suggested that haggling at this point might not be worth it. "It's probably not worth the opportunity costs," he said. "It doesn't really change operationally what Verizon would need to do."
Comparing the news to other major online attacks, Kramer pointed out that customers usually don't swear off a company for good after a data breach. "Unfortunately, we're largely in a post-hack world… I think a lot of people still don't pay enough attention to these things."