Yahoo said in a securities filing Wednesday that employees knew in late 2014 a state-sponsored hacker entered its network and stole names, birth dates, and encrypted passwords for more than 500 million accounts.
Wednesday’s disclosure didn’t say which employees knew about the attack or who they informed.
Yahoo first disclosed the 2014 data breach in September this year.
The board is now investigating the attack with the help of forensic experts, Yahoo said Wednesday.
The company didn’t say when the board first learned about the attack or which executives, if any, knew about the attack when it happened.
Yahoo disclosed the attack in September, two months after entering into an agreement to sell itself to Verizon for $4.8 billion.
The hack is believed to be the biggest data breach of any private company.
Last month Verizon told Yahoo it was re-evaluating their deal in light of the data breach. Verizon said it was trying to determine if the breach was a material event that would allow it to walk away or renegotiate the price.
The breach wasn’t disclosed to Verizon during their negotiations.
Yahoo said Wednesday the hacker took user account information that included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
The company said 23 consumer class action lawsuits have been filed against it in the United States and overseas related to the data breach.
Yahoo said it is cooperating with federal, state, and foreign agencies “including the U.S. Federal Trade Commission, the U.S. Securities and Exchange Commission, a number of State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York.”
* * *
Here’s the disclosure from the Form 10-Q filed by Yahoo! Inc. with the SEC on November 9, 2016:
On September 22, 2016, we disclosed that, based on an ongoing investigation, a copy of certain user account information for at least 500 million user accounts was stolen from Yahoo’s network in late 2014 (the “Security Incident”). We believe the user account information was stolen by a state-sponsored actor. The user account information taken included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. Our investigation to date indicates that the stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation found to be affected. Based on the investigation to date, we do not have evidence that the state-sponsored actor is currently in or accessing the Company’s network.
In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders.
The Company, with the assistance of outside forensic experts, continues to investigate the Security Incident and related matters. The Company is actively working with U.S. law enforcement authorities on this matter.
As described above, the Company had identified that a state-sponsored actor had access to the Company’s network in late 2014. An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.
In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.
Separately, on November 7, 2016, law enforcement authorities began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data. Yahoo will, with the assistance of its forensic experts, analyze and investigate the hacker’s claim that the data is Yahoo user account data.
We recorded expenses of $1 million related to the Security Incident in the quarter ended September 30, 2016. The Security Incident did not have a material adverse impact on our business, cash flows, financial condition, or results of operations for the quarter ended September 30, 2016. However, we have subsequently incurred expenses related to the Security Incident to investigate and take remedial actions to notify and protect our users, and expect to continue to incur investigatory, legal, and other expenses associated with the Security Incident in the foreseeable future. We will recognize and include these expenses as part of our operating expenses as they are incurred. The Company does not have cybersecurity liability insurance.
To date, 23 putative consumer class action lawsuits have been filed against the Company in U.S. federal and state courts, and in foreign courts relating to the Security Incident. The plaintiffs, who purport to represent various classes of users, generally claim to have been harmed by the Company’s alleged actions and/or omissions in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages or other related relief. Additional lawsuits and claims related to the Security Incident may be asserted by or on behalf of users, partners, shareholders, or others seeking damages or other related relief.
In addition, the Company is cooperating with federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incident and related matters, including the U.S. Federal Trade Commission, the U.S. Securities and Exchange Commission, a number of State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York.
Richard L. Cassin is the publisher and editor of the FCPA Blog.