While its users are still digesting the news, the massive breach could also have bigger implications and compromise Yahoo’s recent agreement with Verizon, its future parent company, costing it hundreds of millions of dollars.
Verizon confirmed that it will buyout Yahoo for $4.83bn (£3.6bn) in cash in July marking the end of the six-month sale process and the end of an era for a company that once defined the internet. The deal was originally expected to close in the first quarter of 2017.
“For Verizon this is a big problem. They are attempting to acquire a company that is now publically announcing it suffered a massive breach. So they now have to factor in the cost of investigating the breach, the cost of reassuring all of Yahoo’s users that they have been protected and marketing that,” Michael Borohovski, co-founder of Tinfoil Security, told Bloomberg.
Verizon could claim a material breach for the data hack, by arguing that the event has caused irreparable harm to Yahoo in terms of customer trust and usage.
Robert Peck, an analyst with SunTrust, estimates the breach could shave $100m to $200m off the closing price of the deal.
"As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data. Because the ramifications of data breaches are often felt in the future, they will have to consider the implications of any customers who can prove identity issues caused as a result of this particular breach if they are the new owners," Mark James, security specialist at ESET, said.
The biggest threat to the agreement relates to when exactly Yahoo found out about the breach and how long it waited to disclose it publically.
A clause in the merger agreement signed on 23 July states that there had not been any incidents or allegations of hacking or security breaches “that could reasonably be expected to have a business material adverse effect”.
However, a few days after the deal was signed, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts. At the time, Yahoo declined to say whether it first learned of the hack before or after that deal was announced, according to the Washington Post.
In an official statement, Verizon said it was notified of Yahoo’s security incident only two days ago.
"Within the last two days, we were notified of Yahoo's security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," Verizon said in a statement.
Gadget and tech news: In pictures
Show all 25
Keatron Evans, a partner at consulting firm Blink Digital Security told CNBC: "If we find out that they knew about this breach two years ago, then there's going to be some hard questions about why they didn't disclose it.”
"When it's something intentional, and there was obvious intention to defraud, then that's more impetus for congressional hearings."
Yahoo said it is currently working with law enforcements as it sought to respond to the attack.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies