Yahoo waited nearly two months to notify Verizon it had been breached in a massive hack, despite having known at least 200 million of its user credentials were being sold on a dark web marketplace since August.
On Thursday, Yahoo confirmed the breach was much worse, saying that “at least” 500 million user accounts were stolen by a “state-sponsored” attacker. The company only notified Verizon, which agreed to purchase Yahoo for nearly $5 billion in July, just two days ago.
Just days after Verizon and Yahoo agreed to the $4.8 billion deal, Motherboard’s Joseph Cox reached out to Yahoo with questions regarding a listing for account credentials on a dark web marketplace. A spokesperson didn’t deny they were legitimate, and told Cox “we are aware of the claim.”
According to Yahoo’s press release, it opened an investigation into the matter and confirmed the breach to the general public about 52 days later. So for nearly two months, affected accounts and passwords were being sold on the dark web, while users were oblivious.
Verizon didn’t get special treatment either, having just a two day heads up on the hack, which sent Yahoo’s stock down from $44 to $43 after the news broke.
The incident is one of “a number of previous incidents that were not managed correctly” by CEO Marissa Mayer, according to internal sources who spoke with Re/Code. The site reported one executive saying the former head of security tried unsuccessfully to have top management respond more strongly to such security incidents.
Yahoo did not immediately respond to specific questions from Business Insider on its delay reporting the breach to affected users.