Yahoo executives didn’t understand the severity and scope of the 2014 attack that led to the theft of user data and, as a result, failed to investigate the incident as well as they should have, the company said in a regulatory filing.
Attackers, who the company has said were state sponsored, compromised Yahoo’s network in 2014 and were able to exfiltrate a large amount of data. Some Yahoo employees and senior officials knew about the attack by the end of the year, and had determined that the attackers were targeting a small subset of Yahoo users. In a filing with the Securities and Exchange Commission this week, Yahoo said its executives and legal team didn’t properly investigate the attack.
“Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement,” the filing says.
“While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the Independent Committee did not conclude that there was an intentional suppression of relevant information. Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.”
“Experts have identified approximately 32 million user accounts for which they believe forged cookies were used.”
The 2014 attack was not an isolated incident. Last year, Yahoo revealed a data breach that affected more than a billion users, and there was an earlier, separate breach that affected 500 million users. During the investigation into those breaches, the company’s outside forensic team discovered that the attackers had accessed Yahoo’s internal code system and had used the access to learn how Yahoo creates user cookies. The company revealed in its SEC filing that 32 million user cookies were forged or stolen in that incident.
“In November and December 2016, the Company disclosed that based on an investigation by its outside forensic experts, it believes an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016,” the filing says.
As a result of the breaches, Yahoo is facing more than 40 class-action lawsuits, and lawmakers have taken an interest as well.