In a big fat reveal, Yahoo discloses some precise details about the security breach which affects more than billions of Yahoo accounts. The information coming through our reporters is that the hackers who breached into Yahoo got the Yahoo’s code somehow and were able to generate their cookies and were able to breach over 32 million accounts since 2015 and 2016.
Also, the report of the 10-K statement provided to the SEC says, Just after the violation Yahoo disclosed this matter to 26 people and also visited and consulted with law enforcement after it became aware that state-sponsored hackers had exploited its account management tool for access.
Along with that, earlier Yahoo already revealed the level of the breach during December, But Also the company admits in the report of 2014 that “it appears certain senior executives did not adequately comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.”
As per the consequences of the breach, the Yahoo board members punished the CEO and restricted her to receive the cash bonus she was to receive for 2016, Not only this the major factor is that the general counsel Ronald S. Bell resigned the company.
So, During filing on Wednesday, Yahoo stated that it had followed new processes and structures to improve the extent of security incidents. Also, the Shares of Yahoo down about 0.4 percent within some hours to $46.24, while the Verizon stock downed 0.7 percent to $49.81.
Description of Events
On September 22, 2016, we disclosed that a copy of certain user account information for approximately 500 million user accounts was stolen from Yahoo’s network in late 2014 (the “2014 Security Incident”). The Company believes the user account information was stolen by a state-sponsored actor. The user account information taken included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with the “bcrypt” hashing algorithm) and, in some cases, encrypted or unencrypted security questions and answers. Our forensic investigation indicates that the stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation found to be affected. We have no evidence that the state-sponsored actor is currently in or accessing the Company’s network.
On December 14, 2016, we disclosed that, based on our outside forensic expert’s analysis of data files provided to the Company in November 2016 by law enforcement, we believe an unauthorized third party stole data associated with more than one billion user accounts in August 2013 (the “2013 Security Incident”). We have not been able to identify the intrusion associated with this theft, and we believe this incident is likely distinct from the 2014 Security Incident. For potentially affected accounts, the user account information stolen included names, email addresses, telephone numbers, dates of birth, hashed passwords (using the MD5 algorithm) and, in some cases, encrypted or unencrypted security questions and answers. The stolen information did not include passwords in clear text, payment card data, or bank account information.
In November and December 2016, we disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the investigation, we believe an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 (the “Cookie Forging Activity”). We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts.
The 2013 Security Incident, the 2014 Security Incident, and the Cookie Forging Activity are collectively referred to herein as the “Security Incidents.” With respect to each of the Security Incidents, the impacted users and appropriate regulatory and law enforcement agencies have been notified.
The Company, with the assistance of outside forensic experts, has concluded its investigation of the Security Incidents. The Company continues to work with U.S. law enforcement authorities on these matters.
Independent Committee Investigation
As previously disclosed, an independent committee (the “Independent Committee”) of the Board of Directors (the “Board”) has investigated the Security Incidents and related matters, including the scope of knowledge within the Company in 2014 of access to Yahoo’s network by the state-sponsored actor responsible for the theft and related incidents, the Company’s internal and external reporting processes and remediation efforts related to the 2014 Security Incident and related incidents. The Independent Committee has concluded its investigation, although it will continue to review developments regarding the Security Incidents and report to the Board on these issues, and cooperate with various government entities. The Independent Committee was assisted by independent counsel, Sidley Austin LLP, and a forensic expert. The Board has separately been advised by other outside counsel regarding the Security Incidents and recommendations regarding remedial actions.
Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.
Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident. The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters.