[BreachExchange] Yahoo discovered hack leading to major data breach two years before it was disclosed

[Audrey McNeil]

https://www.washingtonpost.com/news/the-switch/wp/2016/
11/10/yahoo-discovered-hack-leading-to-major-data-breach-
two-years-before-it-was-disclosed/

Yahoo discovered the hack that led to a data breach affecting more than a
half billion accounts nearly two years before the attack was disclosed in
September, according to documents filed with financial regulators
Wednesday.

News of the breach broke as Yahoo was finalizing a deal to sell off its
core business to Verizon. That deal may now be under threat, Yahoo
acknowledged for the first time in a filing with the Securities and
Exchange Commission.

Yahoo noticed the infiltration, which it claims was carried out by
state-backed hackers, shortly after it occurred in late 2014, according to
the regulatory filing. However, the company did not understand the extent
of the attack until a claim by a hacker in July to have obtained vast
amounts of Yahoo user data led to a review, the document suggested.

The company had brought in outside forensics experts who were unable to
substantiate the claims made in July, according to the filing.

A “more complete picture” of the 2014 attack that emerged during an
examination following the July claims led to the September disclosure, a
person familiar with the matter told The Post.

When the data breach was first disclosed, Yahoo only described its
discovery as the result of a “recent investigation.” However, there was
speculation among industry observers about how long the company knew about
the hack.

A Wall Street Journal story in September that cited an unnamed source
reported that state-sponsored hackers broke into Yahoo's systems in fall
2014 — although it stopped short of linking the attack to the data breach.

In the filing, Yahoo says its investigation into the breach is ongoing and
that it's working with law enforcement agencies and regulators on the
issue. The company is now investigating evidence that the hackers behind
the 2014 breach found a way to access certain users’ accounts without their
passwords, the filing said.

The filing also revealed that Yahoo has created an independent committee
being advised by “independent counsel and a forensic expert” to investigate
how widespread knowledge of the hack was within the company in 2014.

In a section listing risks to the Verizon deal, Yahoo said the telecom
giant may seek to renegotiate or call off the agreement because of the
breach.

Verizon has already raised concerns about the hack. In an October call with
investors, the telecom giant’s chief financial officer, Fran Shammo, said
it the company had to “assume” the breach would have a material impact on
Yahoo. If it does, that offers Verizon a way out of the agreement.

“We’re still evaluating the situation and haven’t reached any final
conclusions,” Verizon's chief communications officer, Jim Gerace, told The
Post in an email.

In the SEC filing, Yahoo said it recorded $1 million worth of expenses
related to the breach in the fiscal quarter that ended on Sept. 30, but
those expenses “did not have a material adverse impact” in that period.

However, the company also acknowledged it has incurred further expenses
related to hack since then.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161110/e611df4f/attachment.html>