Earlier this week the day after Election Day — a day absolutely guaranteed to take focus off it — Yahoo said in a regulatory filing that it had knowledge for two years that a “state-sponsored actor” was hacking into its system.
The 10-Q which Yahoo filed was a modified account from when Recode first broke the news that the company had suffered an enormous security breach that resulted in 500 million user accounts being breached. The details lifted by hackers from Yahoo servers included a wide variety of personal details such as names, birthdates and unprotected security questions and answers.
At the time, Yahoo had said that the hack was discovered in a “recent investigation” and its buyer Verizon had only been told that week.
Not so! “The Company had identified that a state-sponsored actor had access to the Company’s network in late 2014,” said Yahoo in its filing. Such changes are not uncommon as investigations proceed, but sources said that Yahoo was aware of many earlier hacking issues.
Yahoo also revealed in the filing that it has been sued 23 times related to the breach, although it was currently not accounting for it. “Based on current information, the Company does not believe that a loss from these matters is probable and therefore has not recorded an accrual for litigation or other contingencies relating to the Security Incident,” said Yahoo. The company said a spate of federal and state government agencies were also sniffing around.
In addition, Yahoo said in its filing that it had hired an independent panel of experts to study the breach, although sources inside the company said that the bulk of the investigation was being tightly controlled by CEO Marissa Mayer and general counsel Ron Bell.
More to come, obviously, as Yahoo and Verizon sort through this mess. The transition planning for the $4.8 billion acquisition of Yahoo by Verizon continues, said sources — with new terms awaiting some better understanding of how much this breach is going to cost.
Until then, here is the whole pertinent section that was buried deep in the Election Day filing about the hack:
Description of Event
On September 22, 2016, we disclosed that, based on an ongoing investigation, a copy of certain user account information for at least 500 million user accounts was stolen from Yahoo’s network in late 2014 (the “Security Incident”). We believe the user account information was stolen by a state-sponsored actor. The user account information taken included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. Our investigation to date indicates that the stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation found to be affected. Based on the investigation to date, we do not have evidence that the state-sponsored actor is currently in or accessing the Company’s network.
In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders.
The Company, with the assistance of outside forensic experts, continues to investigate the Security Incident and related matters. The Company is actively working with U.S. law enforcement authorities on this matter.
As described above, the Company had identified that a state-sponsored actor had access to the Company’s network in late 2014. An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.
In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.
Separately, on November 7, 2016, law enforcement authorities began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data. Yahoo will, with the assistance of its forensic experts, analyze and investigate the hacker’s claim that the data is Yahoo user account data.
Current and Future Expenses and Losses
We recorded expenses of $1 million related to the Security Incident in the quarter ended September 30, 2016. The Security Incident did not have a material adverse impact on our business, cash flows, financial condition, or results of operations for the quarter ended September 30, 2016. However, we have subsequently incurred expenses related to the
Security Incident to investigate and take remedial actions to notify and protect our users, and expect to continue to incur investigatory, legal, and other expenses associated with the Security Incident in the foreseeable future. We will recognize and include these expenses as part of our operating expenses as they are incurred. The Company does not have cybersecurity liability insurance.
Litigation, Claims, and Governmental Investigations
To date, 23 putative consumer class action lawsuits have been filed against the Company in U.S. federal and state courts, and in foreign courts relating to the Security Incident. The plaintiffs, who purport to represent various classes of users, generally claim to have been harmed by the Company’s alleged actions and/or omissions in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages or other related relief. Additional lawsuits and claims related to the Security Incident may be asserted by or on behalf of users, partners, shareholders, or others seeking damages or other related relief.
In addition, the Company is cooperating with federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incident and related matters, including the U.S. Federal Trade Commission, the U.S. Securities and Exchange Commission, a number of State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York.
This article originally appeared on Recode.net.