Yahoo told Verizon that there had “not been any incidents of” security breaches that could have an adverse effect on business earlier this month, but top executives reportedly knew it had been hacked since July, and quite possibly further back.
Yahoo CEO Marissa Mayer was “aware and involved” in investigating an apparent data breach of 200 million users since learning of a security incident in late July, according to the Financial Times, which cited a person briefed on internal discussions.
The incident is one of “a number of previous incidents that were not managed swiftly by CEO Marissa Mayer,” according to internal sources who spoke with Recode.
One executive told Recode that the former head of information security tried unsuccessfully to have top management respond more strongly to such security incidents.
The breach could complicate Yahoo’s pending sale to Verizon, which agreed to purchase the company for $4.8 billion on July 25. The deal is expected to be finalised by the first quarter of 2017.
In a document filed with the SEC on September 9, Yahoo reported there had “not been any incidents” of security breaches that could affect the pending deal. The document was signed by Mayer and Yahoo’s general counsel, Ronald Bell.
The apparent breach was first disclosed to Yahoo by Motherboard reporter Joseph Cox on July 30, who wrote of the dataset being sold on a dark web marketplace on August 1. At the time, Yahoo told Cox it was “aware of the claim.”
A person familiar with the matter told Business Insider the company initiated an investigation at that time and later found the data being sold was not legitimate, but during a deeper look into its networks, Yahoo found a much larger breach of at least 500 million user accounts exposed.
The person said Yahoo had “a high degree of confidence” the theft was carried out by a state-sponsored actor, though they declined to say which state. The person said the hack occurred sometime in 2014.
Executives at the company detected Russian-linked hackers “seeking data on 30 to 40 specific users” in the fall of 2014, the Wall Street Journal reported Friday. The hack was later reported to the FBI.
Here’s the timeline we know so far:
- Executives were aware of a state-sponsored hacker in its networks in the fall of 2014.
- The FBI begins investigating that hack.
- Verizon agrees to purchase Yahoo on July 25, 2016.
- Yahoo receives a report on July 30 of a possible data breach.
- Yahoo’s SEC filing says it is not aware of any security breach on September 9.
- Yahoo discloses the breach of 500 million accounts to Verizon on September 20.
- Yahoo goes public with the news on September 22.
So what’s going on here?
It’s possible that Yahoo’s investigation which found an apparent state-sponsored actor in its networks happened after September 9, and Yahoo has not said exactly when it found out about the breach.
There’s also a question of whether the Russia-linked hacker found in the fall of 2014 is the same one behind the breach of 500 million accounts.
A Yahoo spokesperson did not immediately respond for comment.
But if the company did find it was hacked before September 9, it could be in hot water with the SEC or Verizon — especially since the breach has moved its stock price down from its Tuesday high of $44.83 to closing at $42.80 on Friday.
“The SEC is going to want to know exactly what they knew and when they knew it,” Stewart Baker, a partner at law firm Steptoe & Johnson and a former National Security Agency general counsel, told FT. “The SEC has been eager to investigate people who are slow to disclose breaches. This is an obvious target.”