Some Yahoo employees were aware that the company had been compromised as far back as 2014, even though Yahoo officials only disclosed the breach affecting 500 million users two months ago, the company said in a regulatory filing.
The company also said that on Monday, law enforcement officials informed Yahoo that a hacker had come forward with information purported to be stolen Yahoo customer data.
“Separately, on November 7, 2016, law enforcement authorities began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data. Yahoo will, with the assistance of its forensic experts, analyze and investigate the hacker’s claim that the data is Yahoo user account data,” Yahoo said in an SEC filing this week.
The Yahoo data breach is perhaps the largest one of all time, and it came to light in September after a hacker claimed in July to have stolen a large amount of user information from the company’s network. While Yahoo officials didn’t turn up any evidence that the hacker had actually stolen any data, security experts uncovered details of a previous breach from 2014.
“Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders,” Yahoo said in its filing with the Securities and Exchange Commission this week.
The data breach included the theft of a large swath of user information, such as email addresses, names, phone numbers, and dates of birth. Yahoo said no payment or bank account information was taken, but the fact that some inside the company knew about the compromise nearly two years before it was disclosed have raised many questions about the incident. Yahoo said it is still investigating who knew what and when.
“As described above, the Company had identified that a state-sponsored actor had access to the Company’s network in late 2014. An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues,” the filing says.
“In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”
There have been 23 class-action suits filed against Yahoo in the wake of the breach.
Image: Gui Carvalho, CC By-ND 2.0 license.