Congressional Leaders Demand Answers on Yahoo Breach

A number of Democratic Congressional leaders wrote Yahoo CEO Marissa Mayer a letter seeking answers about the breach of 500 million customer records.

Vermont Senator Patrick Leahy, along with a number of his Democratic congressional colleagues, has demanded answers from Yahoo CEO Marissa Mayer about what is now the biggest data breach in history. Leahy called the two years between the intrusion of Yahoo’s network and the discovery and disclosure of the breach “unacceptable.”

Leahy yesterday said he has sent a letter to Mayer demanding to know why it took two years to disclose what Yahoo has called a state-sponsored attack that resulted in the loss of information associated with 500 million accounts. He has also asked for a timeline of the attack that includes when law enforcement and users were informed, and what Yahoo’s plans are for preventing future intrusions.

“We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans’ data may have been compromised for two years. This is unacceptable,” Leahy said. “This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information.”

Adding to the mounting pressure on Mayer for answers is a New York Times article that alleges Yahoo did not prioritize investments in information security, and that Mayer and other executives clashed with former chief information security officer Alex Stamos over support for end-to-end encryption and other security initiatives.

Stamos, the current chief security officer at Facebook, declined to comment for this article.

Yahoo disclosed last week that state-sponsored hackers were on its network in 2014 and stole extensive user account information including hashed passwords, some of which were protected with the outdated and unsafe MD5 algorithm.

Yahoo forced a password reset on affected users and urged anyone who had not changed their credentials since 2014 to do so immediately. Users were also advised to change passwords on other web-based services that used the same or similar credentials, illustrating again the dangers of password reuse.

The 2014 breach may be unrelated to a cache of 200 million Yahoo credentials dating back to 2012 that were put up for sale on a dark web market known as The Real Deal by a hacker known as Peace, or peace_of_mind. Yahoo’s encryption practices were also questioned by crypto security firm Venafi, which last week published results of an analysis that indicates the possibility of an overall lack of visibility and centralized management of Yahoo’s crypto processes.

Stamos was at the helm of Yahoo’s security operation post-Snowden and saw through a number of crypto initiatives on Yahoo’s services that began before his tenure as CISO. Some of those include the implementation of HTTPS by default on its popular email service and the availability of an end-to-end email encryption extension. Yahoo was criticized at the time, however, for lagging behind other large technology providers, and for falling short with its lack of certain industry standard encryption such as Forward Secrecy and current versions of TLS on some services. At the time, experts were also critical of Yahoo’s use of RC4, another outdated cipher.

Leahy was behind the Consumer Privacy Protection Act, and has been a vocal critic of the government’s surveillance activities post-Snowden. His letter to Mayer prompts her to provide his staff with a briefing on the investigation and asks her to answer the following questions:

  • When and how did Yahoo first learn that its users’ information may have been compromised? Please provide a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers.
  • Press reports indicate the breach first occurred in 2014, but was not discovered until August of this year. If this is accurate, how could such a large intrusion of Yahoo’s systems have gone undetected?
  • What Yahoo accounts, services, or sister sites have been affected?
  • How many total users are affected? How were these users notified?
  • What protection is Yahoo providing the 500 million Yahoo customers whose identities and personal information are now compromised?
  • What steps can consumers take to best protect the information that may have been compromised in the Yahoo breach?
  • What is Yahoo doing to prevent another breach in the future? Has Yahoo changed its security protocols, and in what manner?
  • Did anyone in the U.S. government warn Yahoo of a possible hacking attempt by state-sponsored hackers or other bad actors? When was this warning issued?

Suggested articles