Yahoo admits staff knew of 'state-sponsored' hack in 2014
Yahoo is facing 'at least' 23 putative class action lawsuits after major hack.
In the wake of a massive hack that compromised over half a billion user accounts, technology giant Yahoo has revealed it is currently probing claims of a fresh data breach – a development that it warns may put the ongoing $4.8bn (£3.6bn) Verizon takeover bid in real jeopardy.
In a legal filing to the US Securities and Exchange Commission (SEC) on 9 November, Yahoo stated that law enforcement, two days prior, "began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data."
It continued: "Yahoo will, with the assistance of its forensic experts, analyse and investigate the hacker's claim that the data is Yahoo user account data." The firm has not elaborated on the hackers' claim, instead saying the analysis remains ongoing.
In September, Yahoo admitted the loss of at least 500 million user accounts from 2014 – including names, email addresses and hashed passwords. A week after this was made public, a second scandal hit as sources said the firm was scanning all incoming emails on behalf of US intelligence.
At the time, officials within Yahoo said a "recent investigation" had confirmed a "state-sponsored actor" had infiltrated its systems. It emerged that Verizon, despite being in the middle of purchasing the company, was not informed of the breach until two days before Yahoo went public.
However, the SEC filings reveal that at least some Yahoo staff "had identified that a state-sponsored actor had access to the company's network in late 2014." As a result of this, it said an independent committee has now been set up to look into the "scope of knowledge within the company in 2014."
The report said in full:
"In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker's claim. Following this investigation, the Company intensified an ongoing broader review of the Company's network and data security, including a review of prior access to the Company's network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders."
Yahoo also said it is "investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the [2014 hack] created cookies that could have enabled such intruder to bypass the need for a password to access certain users' accounts or account information."
The firm has not yet released any technical analysis to back up the assertion that a nation-state threat (in other words, hackers affiliated with a government) was the culprit in the major security breach. Indeed, some security experts openly doubted the claim.
The SEC report also shows how Yahoo is now facing "at least" 23 putative consumer class action lawsuits and other cases brought forward by users, shareholders and partners. Additionally, investigations have been launched by "federal, state, and foreign governmental officials," it said.
Verizon benefits 'may not be realised'
The mounting trouble may bring the future of the Verizon deal into question, Yahoo said in the 'risks and uncertainties' section of the SEC filing. "There is no assurance that the sale transaction will be consummated in a timely manner or at all," it stated. "In addition, the anticipated benefits of the sale transaction may not be realised."
Yahoo also said there are "risks that Verizon may assert, or threaten to assert, rights or claims with respect to the Stock Purchase Agreement as a result of facts relating to the security incident and may seek to terminate the Stock Purchase Agreement or renegotiate the terms of the Sale transaction on that basis."
Previously, speculation arose that Verizon bosses may seek a $1bn discount. "We will evaluate as the investigation continues through the lens of the overall Verizon interests, including consumers, customers, shareholders and related communities," it said in a statement.
© Copyright IBTimes 2024. All rights reserved.