Yahoo has recently admitted that some of its staff knew about the 2014 hacking, well before the information was actually made public. The company’s Form Q10 filed with US Securities and Exchange Commission (SEC) admits that there was a state-sponsored attack on its network in 2014.
According to the SEC filing, which is available on the website of the regulator, the relevant paragraph on the ‘Security Incident’ reads like this: “In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014.”
So it looks like Yahoo had identified such an attack in 2014, but was publicly silent on the same. Yahoo’s SEC filing admits that in 2014 they had identified that a state-sponsored actor had access to their network and for now they have “an Independent Committee of the Board, advised by independent counsel and a forensic expert,” which “is investigating, among other things, the scope of knowledge within the company in 2014…”
Based on the filing, it looks like Yahoo is still trying to figure out how many people within the company knew of the first attack in 2014.
It also looks like Yahoo still has forensic experts part of an ongoing investigation looking at “certain evidence and activity that indicates an intruder,” most likely the same hacker created new cookies which could allow the hacker to bypass need for a password in order to access accounts, account information. The last bit, if true, is worrying for Yahoo and its users.
Yahoo also says that currently law enforcement authorities are “sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data.” Yahoo still has to check on the hacker’s claim that the data is indeed from their company.
Back in September, Yahoo sent out alerts to its users detailing the fact that it faced a massive security breach. Yahoo confirmed over 500 million mail account passwords were accessed, the largest ever data breach in the company’s history.
According to the company, a state-sponsored entity was involved in the breach, but they did not believe the hackers had access to the network anymore. Yahoo had advised its customers to change their passwords in order to secure their accounts.
The company is also in the middle of $4.8 billion acquisition by Verizon, and the recent data breach has added to uncertainty around the deal.
In October, Verizon Communications had said that it has a “reasonable basis” to believe Yahoo massive data breach of email accounts represents a material impact that could allow Verizon to withdraw from its $4.83 billion deal to buy the technology company. Verizon’s general counsel Craig Silliman told reporters at a roundtable in Washington the data breach could trigger a clause in the deal that would allow the US wireless company not to complete it. At the time of the report, a Yahoo spokesperson had issued a statement saying, “We are confident in Yahoo’s value and we continue to work towards integration with Verizon.”
For now it looks like Yahoo is still trying to figure out the extent of the data breach, which isn’t a good sign.