Yahoo admitted to the world—on a news day dominated by a guy called Trump—that some of its employees were aware that it had suffered a breach shortly after a “state-sponsored actor” hacked into the ailing Web firm’s systems in 2014.
In a filing to the US Securities and Exchange Commission on Wednesday, Yahoo said that a panel of independent experts was looking at how much knowledge employees at the company had of the incident shortly after the massive breach had occurred.
Yahoo has previously stated that it only became aware of the hack attack following a “recent investigation.” As Ars reported previously, Yahoo confirmed in September that at least half a billion of its user accounts had been breached.
The company, in its latest filing, has revealed more details about the attack—which ransacked Yahoo usernames and associated e-mail addresses, telephone numbers, dates of birth, hashed passwords, and some encrypted and unencrypted security questions and answers. It said:
In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the company could not substantiate the hacker’s claim.
Following this investigation, the company intensified an ongoing broader review of the company’s network and data security, including a review of prior access to the company’s network by a state-sponsored actor that the company had identified in late 2014.
Based on further investigation with an outside forensic expert, the company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders.
The key bit in that statement is the disclosure that at least some employees at Yahoo were aware of the attack two years ago.
It added that an independent committee of the firm’s board was investigating “among other things, the scope of knowledge within the company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the company’s security measures, and related incidents and issues.”
Yahoo said that forensic experts were also probing evidence that suggested an intruder—understood to be the same state-sponsored actor—created cookies that potentially inserted a password bypass flaw, thereby granting access to some user accounts or account details.
It also revealed that cops had recently begun “sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data.” Yahoo said that it would analyse the hacker’s claim.
To date, the company has been hit with 23 class action lawsuits from angry consumers, both at home and abroad.
Yahoo has so far notched up $1 million (£800,000) in losses related to the megabreach—however, its latest quarter ended September 30 is yet to reveal the true pain to its bottom line.