Yahoo says employees knew about data breach in 2014

Timeline of company’s knowledge of hacking central to $4.8 billion Verizon deal

Yahoo chief executive Marissa Mayer. The 2014 data breach was not disclosed to Verizon during negotiations to sell Yahoo’s internet operations. Photograph: Robert Galbraith/Reuters
Yahoo chief executive Marissa Mayer. The 2014 data breach was not disclosed to Verizon during negotiations to sell Yahoo’s internet operations. Photograph: Robert Galbraith/Reuters

Yahoo employees knew in 2014 that a hacker backed by a foreign government had broken into its network, the company said in a securities filing on Wednesday. But Yahoo did not say whether the attack that year which led to the theft of data such as names, birth dates and encrypted passwords for more than 500 million accounts was disclosed to senior management at the time.

The timeline of who knew what about the attack and when has become central to the company's plan to sell its internet operations to Verizon Communications for $4.8 billion.

Yahoo first publicly disclosed the security breach on September 22nd this year, about two months after it struck the deal with Verizon.

Hacker claim

The company said it discovered the hacking, the largest known data breach affecting a private company, while investigating a hacker’s claim in July to have obtained certain Yahoo user data.

READ MORE

The breach was not disclosed to Verizon during negotiations, and last month Verizon executives said that it might have materially diminished the value of Yahoo and could cause Verizon to reopen the deal, which is expected to close early next year.

In its latest disclosure, part of a quarterly filing about its finances, Yahoo said it had discovered in 2014 that a “state-sponsored actor” had gained access to its network. The company did not say what action, if any, it took at the time.

Yahoo also disclosed new details about the attack.

The company said its board of directors and forensic experts were investigating “certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”

Yahoo said that law-enforcement authorities began sharing data with the company on November 7th that purported to be Yahoo user information obtained by a hacker.

So far, 23 lawsuits related to the breach have been filed against Yahoo in the United States and abroad.

The company said it was co-operating with federal, state, local and foreign officials seeking information about the breach. – (New York Times Service)