The major breach at Yahoo was known about for at least two years, according to a recent Securities and Exchange filing.
Although it claimed that it is “routinely targeted by outside third parties, including technically sophisticated and well-resourced state-sponsored actors, attempting to access or steal our user and customer data or otherwise compromise user accounts,” it stated that it believed that a state-sponsored actor was responsible for the theft involved in the security incident.
In a description of the event, Yahoo said that despite disclosure on 22 September, after claims of the data being held were made by an attack in July. A review of prior access to the company’s network in late 2014 found that “the Company had identified that a state-sponsored actor had access to the Company’s network in late 2014.”
The filing stated: “An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.”
It also said that based on the investigation to date, Yahoo does not have evidence that the state-sponsored actor is currently in, or accessing the company’s network. Yahoo continues to investigate the incident with the assistance of outside forensic experts and with US law enforcement authorities.
“In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information,” it said.
Lee Munson, security researcher at Comparitech.com, said: "The amount of time it took for the breach to be detected and become public knowledge was disturbing, especially coming as it did so soon after a similar situation at LinkedIn.
“The fact that Yahoo staff knew of the breach at the time it occurred and kept quiet is completely and utterly unforgivable. Not only is it what appears to be a complete cover-up as the company continues merger talks with Verizon, it is also a huge slap in the face to half a billion customers who must now be wondering whether they can ever trust Yahoo again.”