They friggin’ knew…
Yahoo has continued to astound both the world and their hopeful acquisition partner Verizon, but not in a fashion for which anyone would hope. In their latest regulatory filing with the Securities and Exchange Commission (SEC), the company identified that they knew of the security breach that put at risk customer passwords, phone numbers and email address from 500 million accounts beginning in 2014, but only made that knowledge public in September of this year.
“The Company had identified that a state-sponsored actor had access to the Company’s network in late 2014,” Yahoo’s most recent 10-K form admitted.
The tech company is investigating. Itself.
To address the issue, Yahoo has created an independent committee of its board of directors, charged with investigating two elements: The breadth of the knowledge within Yahoo that accounts had been compromised beginning in 2014 and continuing until this year, and the depth to which user account information had been mined and accessed. To assist them in their work, the board is advised by independent counsel and a forensic expert in their investigation.
Yahoo stated in its SEC filing that its investigation led them to believe that the state-sponsored hackers “created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”
The breach has already cost Yahoo over $1M
Speaking on condition of anonymity to Fortune, a confidential source stated that the company believes that their signature Yahoo Mail program and user accounts are now finally secure. “It wasn’t until this most recent intensification of the investigation that really gave the full scope of what occurred,” the source said to Fortune, referring to the company’s renewed interest in reviewing its security posture after it began investigating the claims of a hacker earlier this year.
Now the defendant in 23 separate class action lawsuits, Yahoo has paid breach-related expenses of $1 million over the most recent quarter. Marissa Mayer, Yahoo CEO, stated in the latest earnings call that user engagement metrics, which are vital to maintaining rates for Yahoo’s advertising sales, had not been affected by the response to the hacking incident.
However, some analysts, including those at Fortune, have noted that an increase in user engagement with Yahoo Mail could be nothing more than victims (or those who were concerned that they were), logging in to change their passwords and account details.
Will Verizon still buy Yahoo?
Verizon’s proposed $4.8 billion acquisition of Yahoo hangs in the balance, as the company deals with both this issue and the previous revelation that it had complied with a U.S. government demand to review hundreds of millions of Yahoo Mail accounts at the request of the National Security Agency or the FBI.
“We’re still evaluating the situation and haven’t come to any conclusions,” said Jim Gerace, Verizon’s chief communication officer.
Verizon has previously claimed that it had not been made aware of the existence of Yahoo’s breach or their participation in the classified U.S. government program prior to making their offer for Yahoo.
Although such an acquisition would pass through the scrutiny of government regulators prior to its completion, Senator Patrick Leahy of Vermont and Senator Chuck Grassley of Iowa of the U.S. Senate Judiciary Committee have indicated their desire to hold hearings on the matter of the email breach, further clouding Yahoo’s future.