Yahoo filing offers glimpses into massive data breach

© Robert Galbraith
An unspecified number of people at Yahoo knew about a massive hack when it took place in late 2014, the company has revealed. The data breach, which affected 500 million users, became public in September 2016, and threatens Yahoo’s proposed acquisition by Verizon.

In a filing to the Securities and Exchange Commission (SEC) on Wednesday, Yahoo said it was investigating how many employees were aware of the hack in 2014, and how much they knew, AFP reported. Additionally, the filing acknowledged that the hackers could have planted malware that would have allowed them access to compromised accounts later.

“Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such [an] intruder to bypass the need for a password to access certain users' accounts or account information,” Yahoo said in the filing.

The revelations could threaten the company’s prospects of closing the $4.8 billion acquisition deal with the telecom giant Verizon. For the first time, Yahoo has formally admitted the possibility of the deal falling through.

The company came forward in September 2016 to acknowledge that up to 500 million users may have had their data compromised by “state-sponsored actors.” While no financial information was stolen, the hackers acquired usernames and dates of birth, passwords, backup email addresses, countries of origin and even ZIP codes. Yahoo said it only became aware of the hack after a “recent investigation” – something the SEC filing now seems to contradict.

In August, before the hack was acknowledged, a notorious hacker named ‘Peace_of_Mind’ offered data from some 200 million Yahoo addresses up for sale on the “dark web.”

As a result of the hack, Yahoo has been hit with 23 class-action lawsuits in the US and abroad, and suffered up to $1 million in losses. The true extent of the damage will only be evident once the company releases its figures for the third quarter of 2016, which ended on September 30, reported Ars Technica.