Yahoo is having a rough week.
The company revealed on September 22 that it had been hacked by what it believed was a “state-sponsored actor” that stole information for at least 500 million accounts.
This week, it’s still investigating the breach along with the FBI. Meanwhile, it’s now the subject of at least 3 proposed class-action lawsuits, and US Senators are asking the company to explain itself and for the SEC to investigate.
The onslaught of negative attention comes at a particularly bad time for Yahoo, which is currently working on its sale to Verizon after agreeing to purchase it for $4.8 billion in July.
Sen. Al Franken (D-Minn.) and his colleagues wrote in a letter to Yahoo CEO Marissa Mayer: “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans’ data may have been compromised for two years. This is unacceptable.”
The most pressing question asked in the letter is to find out when and how Yahoo first learned that it had been breached. Franken asked the company to provide a timeline.
A Yahoo spokesperson told Business Insider the company had “received the letter and will work to respond in a timely and appropriate manner.”
On Monday, Sen. Mark Warner (D-Va.) sent a letter to SEC Chairwoman Mary Jo White urging the agency to open an investigation to see whether Yahoo had “made complete and accurate representations” about its security.
Judy Burns, a spokeswoman for the SEC, declined to comment on Sen. Warner’s letter or whether it would be investigating Yahoo.
Meanwhile, a Los Angeles man has filed a proposed class-action lawsuit against Yahoo that alleges negligence, breach of contract, and violations of California’s state civil and business codes. Two other suits filed in San Francisco are also seeking class-action status.
Besides its potential legal troubles, Yahoo could also lose customers over the breach.
Why it matters when the hack happened
So far, Yahoo has not said when it found it had been hacked, but that question is central to what happens next.
That’s because Yahoo filed documents with the Security and Exchange Commission on September 9 indicating that there had “not been any incidents” of security breaches that could have an adverse affect on its business.
If it knew it had been hacked prior to its September 9 filing, the agency could rake the company over the coals over this potential lack of disclosure.
And if knowledge of the hack goes back even further than that — like prior to July when Verizon agreed to buy Yahoo — the $4.8 billion deal could be in jeopardy.
On Wednesday morning, Business Insider asked Yahoo when it learned it had been hacked. As with previous inquires, Yahoo declined to provide a date, and said, “Our investigation into this matter is ongoing and the issues are complex.”
A person familiar with the matter told Business Insider the company initiated an investigation after apparent credentials from Yahoo customers appeared on the dark web in August, but it later found the data being sold was not legitimate.
But during a deeper look into its networks, Yahoo found the much larger breach of at least 500 million user accounts exposed.
This person said Yahoo had “a high degree of confidence” the theft was carried out by a unnamed state-sponsored actor, and occurred sometime in 2014.
Some insiders say Yahoo didn’t take security seriously
In the wake of the event, insiders have come forward to criticise Yahoo’s stance toward security over the last few years.
Although its security team worked hard to mitigate potential threats, six current and former Yahoo employees told The New York Times on Wednesday that security took a backseat at the company, often because Mayer worried that enhanced security features could lead users to flee its services.
The latest breach was one of “a number of previous incidents that were not managed swiftly” by Mayer, according to internal sources who spoke with Recode.
These arguments over security may also explain Yahoo’s unusually high turnover among its Chief Information Security Officers.
Its first CISO, Justin Somaini, joined the company in 2011 and stayed until Jan. 2013, leaving in part because he was “unhappy with the regime” of Mayer, according to Kara Swisher. After his departure, the company didn’t have a full-time CISO until March 2014, with the hiring of Alex Stamos.
One executive told Recode that Stamos tried unsuccessfully to have top management respond more strongly to such security incidents.
But Stamos and Mayer repeatedly clashed, according to the sources who spoke with the Times: “She denied Yahoo’s security team financial resources and put off proactive security defences, including intrusion-detection mechanisms for Yahoo’s production systems,” the Times wrote.
Stamos left for Facebook a little over a year later. His interim replacement, Ramses Martinez, moved to Apple only a month after being put in the role. Yahoo’s current CISO Bob Lord has been on the job for 11 months.
Yahoo declined to answer specific questions posed by Business Insider, but provided this statement in regards to its security practices:
“Over the course of our more than 20-year history, Yahoo’s executive management and entire team have focused on and invested in security programs and talent to protect our users. For example, we invested more than $10 million to encrypt our platform in early 2014, and our investment in security initiatives from 2015 to 2016 will have increased by 60 per cent. We routinely conduct red team exercises, where we adopt the tools and methods of adversaries to test and improve our defences. In the last two years, a vibrant Yahoo bug bounty program has resulted in $1.8 million in cash payouts to security researchers from around the world and enabled Yahoo to meaningfully strengthen our security posture. Today’s security landscape is complex and ever-evolving, but, at Yahoo, we have a deep understanding of the threats facing our users and continuously strive to stay ahead of these threats to keep our users and our platforms secure.”