Yahoo fessed up in its latest SEC filing that it knew in 2014 that attackers were on its network and stole information from 500 million accounts.
The breach was disclosed in September and Yahoo blamed state-sponsored attackers, a claim that was challenged by some experts who instead said a criminal outfit was behind the attack and may have sold some of the data to an Eastern European government.
The SEC filing also contains a confirmation from Yahoo that Verizon’s multibillion-dollar acquisition of Yahoo’s core business could be in jeopardy, and that Verizon could seek to terminate or renegotiate the terms of the sale. Verizon executive vice president Marni Walden said at a Wall Street Journal event 10 days ago that it was still moving forward with the acquisition, but according to the Journal, stopped short of saying that it would not put a halt to the deal if necessary.
“What we have to be careful about is what we don’t know,” Walden said. “We’re not going to jump off a cliff blindly so we need to have more information before we can determine, but strategically the deal still makes a lot of sense to us.”
Yahoo said that claims in July from hackers that 200 million account credentials were available for purchase on an underground hacker forum prompted a deeper investigation into the security of its network and a broader look at the 2014 intrusion.
“In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information,” Yahoo told the SEC.
It added that on Monday, law enforcement shared evidence provided by a hacker that is allegedly legitimate Yahoo account information; Yahoo said it is investigating.
Yahoo told the SEC that the stolen information included names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted and unencrypted security questions and answers. Yahoo reaffirmed earlier statements that no payment card data or bank account information was stolen; that information, Yahoo said, was not stored on the systems that were accessed.
News of the Yahoo breach surfaced at a time when large-scale password dumps were being disclosed in waves. Most of the Yahoo passwords were hashed using bcrypt, but some were secured with MD5, a long-outdated algorithm that is considered unsafe and has been deprecated in many corners.
Security company Venafi said in late September that data collected from its internal certificate reputation service indicates that Yahoo’s cryptographic practices were a mixed bag of outdated hashes and self-signed certificates, none of which are entirely secure.
Beyond simply the use of SHA1 and MD5, for example, Venafi said that it found a wildcard certificate with a five-year expiration data, much longer than the standard 12- to 18-month standard. It added that 27 percent of certificates on external Yahoo sites were in place since January 2015 and that fewer than 3 percent were issued in the previous 90 days. Weakened certificates have been attacked in the past to redirect traffic or pose as a Yahoo site and steal credentials or intercept traffic.
Congress soon interjected and wrote a letter to CEO Marissa Mayer demanding to know why it took Yahoo two years to disclose the attack, expressing dismay that users’ data has been exposed during that period of time. Vermont Senator Patrick Leahy called the situation “unacceptable.”
The breach, Yahoo told the SEC, has also given birth to 23 class-action lawsuits filed against the company making claims of harm and seeking damages and relief. Yahoo said it has spent $1 million in the third quarter of this year related to its breach investigation, but said the breach did not materially impact its business or cash flow for the quarter. Yahoo also admitted in its filing that it does not have cybersecurity liability insurance.