November 10, 2016
Yahoo today admitted to knowing two years ago about the 2014 breach of its systems that resulted in the hack of some 500 million of its users’ accounts.
In a filing with the SEC, Yahoo said an internal review — led by an independent Committee of the Board that was advised by independent counsel and a forensic expert — has revealed that some Yahoo employees were aware as of late 2014 that a “state-sponsored” entity had accessed its network, but they were unaware of the extent of the damage at the time.
“The Company had identified that a state-sponsored actor had access to the Company’s network in late 2014,” the filing reads. “An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed.”
Yahoo said it is investigating if the cyber-attackers planted cookies to allow them to access user account data without a password. The filing also revealed the authorities had this week received new information related to the hack.
Police, on Nov. 7, “began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data. Yahoo will, with the assistance of its forensic experts, analyze and investigate the hacker’s claim that the data is Yahoo user account data,” reads the filing.
The company did not publicly announce the breach of its systems had occurred until September of this year. Yahoo said at that time it had begun an investigation a few months ago into the breach when a supposed hacker, known as Peace, began bragging about scoring hundreds of millions of Yahoo usernames and passwords to sell on the dark Web. It is not thought that ‘Peace’ is part of the alleged sate-sponsored attack that managed to filch names, e-mail addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
The breach was announced just a few months after Verizon agreed to acquire Yahoo’s Internet business for $4.83 billion in cash. It is not known if news of the breach will impact the deal. If the deal closes on schedule, it will be in the first quarter of 2017.
Jennifer Cowan is the Managing Editor for SiteProNews.