Can things get any more embarrassing for Yahoo? Amidst the carnage of the election, people were forgetting about the breach it revealed in September affecting 500 million users, and the unsubstantiated claim it was perpetrated by an unnamed nation state. Not to mention the revelations it had worked with the NSA to spy on Yahoo email and the potential scuppering of its $5 billion acquisition by Verizon.
But this week, it emerged the company discovered the 2014 hack not long after it happened, not just this September when it first revealed the breach, the same month Verizon learned of the issue. In an SEC filing, Yahoo said the company had identified a state-sponsored actor had access to the company’s network in late 2014, and it had employed an Independent Committee of the Board, advised by independent counsel and a forensic expert, to investigate just which staff knew what two years ago.
There was more information on the breach too, revealing the hacker had found a way to avoid needing any usernames or passwords to access Yahoo customer accounts: “The forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”
Police also started working on a new lead this week. “On November 7, 2016, law enforcement authorities began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data. Yahoo will, with the assistance of its forensic experts, analyze and investigate the hacker’s claim that the data is Yahoo user account data,” the SEC filing read.
Thus far, the hack has cost Marissa Mayer’s company at least $1 million. Meanwhile, it’s facing 23 class action lawsuits from angry users and legal costs are expected to rise. And it may have issues with that Verizon deal too: “As a result of facts relating to the security incident and may seek to terminate the stock purchase agreement or renegotiate the terms of the sale transaction on that basis.”
Neither Verizon nor Yahoo had responded to a request for comment at the time of publication.