After months of speculation, Yahoo has finally admitted it knew about a massive data breach as far back as 2014.
The tech company had previously claimed it only “recently” found out about the leak of 500 million users accounts. Independent experts are now investigating exactly how much was known and by whom, Yahoo said.
They are looking at evidence that indicates a “state-sponsored actor” breached Yahoo’s system and could have gained user data by creating “cookies” that bypassed password protection, the company said in a regulatory filing. Yahoo said it doesn’t believe it is currently possible for the attackers to forge valid Yahoo Mail cookies.
Verizon, which is in the process of buying Yahoo has said it could lower its $4bn purchase price, or even withdraw the bid altogether if more damaging information was revealed.
Verizon was only informed of the hack a week before it was publicly exposed in September, despite the fact Yahoo had known for two years.
“As a result of facts relating to the security incident [Verizon] may seek to terminate the stock purchase agreement or renegotiate the terms of the sale,” it said.
In further revelations, Yahoo said it is investigating a new claim that user account data was obtained by a hacker, the latest security challenge for the company as it prepares for the planned acquisition.
Police began sharing certain information on Monday that was provided by a hacker who claimed it was Yahoo user account data.
“It was a good day to bury the news,” Dr. Joss Wright from the University of Oxford’s Internet Institute told the BBC, referring to the fact that Yahoo’s filing had coincided with Donald Trump winning the US election.
“Because there’s rarely a large visible event when a breach happens, companies can choose not to report them hoping that they can fix the problem internally.