A recent Yahoo filing with the Securities and Exchange Commission reveals the online firm knew that around 500 million of its users’ accounts had been hacked in late 2014, even though they didn’t publicly confirm it until September of 2016.
“In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014,” Yahoo said in the filing.
The stolen information included users’ names, email addresses, phone numbers, dates of birth, hashed passwords, and security questions and answers. Yahoo says 23 consumer class action suits have been filed over the breach, but can’t estimate what the total monetary damages will be. However, the company estimates the hack has caused it to lose $1 million so far.
The revelation of the breach comes as Yahoo is in the midst of a planned sale to Verizon. The wireless carrier has reportedly asked for a $1 billion discount of the selling price in light of the hack.
Yahoo says it has formed an independent committee to review “the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed.”
Senator Mark Warner has requested that the SEC investigate what Yahoo knew about the breach, and when it learned about it, saying: “Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public.”