Yahoo Knew About Massive Data Breach Two Years Before It Originally Admitted
Some staff members knew about the breach but may not have known the scope
"The Company had identified that a state-sponsored actor had access to the Company's network in late 2014," Yahoo's most recent 10-k form said. The company only confirmed in September of this year that the hack had occurred.
Yahoo stated in the filing that it had organized an independent board committee to investigate, including "the scope of the knowledge within the company in 2014 and thereafter regarding this access" and "the extent to which certain users' account information had been accessed."
The stolen data included email addresses, phone numbers, dates of birth, hashed passwords, and security question answers.
Although some employees at the tech company might have known about the hack, what they may not have known about was the scope of it.
"It wasn't until this most recent intensification of the investigation that really gave the full scope of what occurred," an anonymous source said.
Until now Yahoo has claimed that it first discovered that the hack had occurred in August when tech blog Vice Motherboard reported a hacker was claiming to be selling hundreds of millions of Yahoo accounts online. Though it ultimately determined that this was not the case, Yahoo has said, it decided to take another look at the strength of its defenses, which eventually led to the discovery of the breach.
The SEC filing reveals more information about the hack. One such revelation is that the company claims that its forensic investigators think the state-sponsored hacker kept access to users' email accounts through cookie forgery, a method of bypassing password protections. This, as Financial Times notes, could mean "that a cyber criminal could have access [to the accounts] even after passwords are changed."
According to Fortune, the company also claims to have paid one million dollars in expenses related to the hack over the most recent quarter and that 23 class-action lawsuits related to the breach have been filed against it. However, it continues to maintain that the hack "did not have a material adverse impact on our business."
Verizon is currently set to purchase Yahoo for $4.8 billion, though there is some question about whether or not that deal is now in jeopardy.
"We are confident in Yahoo's value and we continue to work towards integration with Verizon," said a Yahoo spokesperson.
The company also revealed in the filing that law enforcement has given it another dataset that a hacker claims to contain users' account information. Yahoo did not provide any further details regarding the cache or whether it was linked to the pending investigation. It did, however, state that it was investigating the claims.