Yahoo in September confirmed that credentials belonging to at least 500 million user accounts had been stolen during what it believed was a state-sponsored attack on its networks back in 2014.
The admission, which came nearly two months after a notorious hacker listed the accounts for sale on a dark web marketplace, threatened to compromise Verizon’s $4.83 billion acquisition of the Internet pioneer.
As it turns out, news of the breach wasn’t exactly a surprise to everyone at Yahoo.
In a recent filing with the U.S. Securities and Exchange Commission, Yahoo said that in late July of this year, a hacker claimed to have obtained certain Yahoo user data. With the assistance of an outside forensic expert, Yahoo was unable to substantiate the hacker’s claim.
Following this investigation, Yahoo said it intensified an ongoing, broader review of its network and data security including a review of prior access to its network by a state-sponsored actor that Yahoo had identified in late 2014. With help once again from an outside expert, Yahoo disclosed the incident on September 22, 2016.
What’s relevant here is that Yahoo had identified the incident in late 2014.
In the filing, Yahoo added that “an Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.”
Furthermore, experts are investigating evidence and activity that suggests an intruder, believed to be the same state-sponsored actor responsible for the 2014 breach, created cookies that could have enabled them to bypass the need for a password to access certain users’ accounts or account information.
Yahoo notes that Verizon may seek to terminate the agreement or renegotiate its terms based on facts relating to the security incident.
To date, Yahoo has fielded 23 lawsuits related to the breach in the US and abroad.