So much about the Yahoo breach is still unknown, including how it happened and what data was actually lost.
However, here are some key consequences of the breach which could impact Yahoo in the coming months and possibly years.
1. Lawsuits
There have already been reports of disgruntled Yahoo users launching lawsuits against the internet company.
One California-based group of plaintiffs filed a class action on behalf of all of those affected by the breach. This was done under several parts of the California Civil Code such as the Consumer Legal Remedies Act, the Federal Stored Communications Act and the Unfair Competition Act.
A man called Ronald Schwartz has also filed a suit in New York against Yahoo.
Considering that the breach affected 500 million accounts, the pay-outs could be massive.
2. Reputation and brand damage
Yahoo has been struggling to keep up with its erstwhile competitors from its internet heyday such as Google.
Despite many acquisitions, it has failed to achieve the same adaption that its competitors have managed. For example, Yahoo has seen its share of internet search traffic snapped up by Google and other providers.
According to Netmarketshare.com, as of July Yahoo had a global search share of 7.68 percent, behind Baidu at 8.8 percent, Bing at 11.31 percent and Google at 70.16 percent.
It is a shame, then, that a service which still held a hefty chunk of the market, email, has now been cast into disrepute.
TalkTalk saw its profits halve in the quarter following its data breach. If customers blame Yahoo for the breach or no longer trust Yahoo to protect their data there could be huge consequences.
This could deprive Yahoo of a rich repository of useful data and a key revenue stream.
Yahoo works as the email backbone for several other providers, such as BT. These companies may be keen to avoid attracting bad press from Yahoo’s breach and may aim to move more customers onto their own or other services.
3. Regulatory fines
Yahoo is lucky that the General Data Protection Regulation is not already in place; if this were the case, it could be looking at a fine of 2 percent of its annual worldwide turnover for taking two years to report the breach.
This doesn’t mean that there will be no response from data regulators, however. Several national data regulatory authorities, including the UK’s Information Commissioner’s Office (ICO) and Ireland’s Data Protection Commissioner are looking into the breach.
In the US, according to a blog by Varonis, there is no “federal notification law with any teeth” that will apply in this case. However, a senator has asked the SEC to investigate the hack and a group of Democrat senators have written a letter to CEO Marissa Mayer demanding action.
However, in the state of California, the regulator requires notification on the discovery of unauthorised access.
“So Yahoo can expect a visit from the California attorney general in its future,” said Varonis.
4. Verizon buy-out and investor action
Yahoo’s investors include a small but determined faction of activist firms which have been agitating for a long time against the company’s performance.
As Mayer took maternity leave in December, Yahoo investor SpringOwl Asset Management proposed a new plan to cut the company’s workforce by 75 percent and oust her.
Spending on employee perks such as free food and iPhones came under particular criticism, as well as spending on lavish company events such as a $7 million Great Gatsby-themed party. SpringOwl said that the fact that 15 percent of Yahoo’s top performers left in the course of 2015 was an indictment of Mayer’s leadership.
Theoretically the opinions of investors don’t matter so much anymore; Yahoo is set to be sold off to Verizon for just under $5 billion.
There are clauses that Verizon could theoretically activate off the back of this information in order to terminate or renegotiate the deal.
If the deal does fall through then Yahoo may face tough action from investors as it searches for a new buyer: one that will likely offer less than the sum Verizon was willing to pay.
5. Degraded consumer experience
Whether Yahoo is hit by another breach or not, it now carries the stigma of being hit in a cyber breach.
However, the loss of user data means that the customers that do not desert the platform could be subject to more cyber attacks and more spam due to the leaking of their email addresses on the internet.
As the email addresses were posted on the dark web, they were accessible to criminals who might collect them and use them for phishing or other large-scale attacks.
This may alienate Yahoo’s users by subjecting them to a possible barrage of new junk mail.
6. Security expenditure
In the long-term, Yahoo is going to have to demonstrate that it is taking security issues quickly.
Estimates for the proportion of a company’s earnings that should be spent on cyber security vary widely depending on whom you ask.
However, the company will be forced to start shelling out cash in order to ensure it is prepared for the next breach.
While Yahoo claims to have strict security practices, it will have to examine its defences as well as the poor policies in place that allowed a breach to go undetected for two years.