On September 22, 2016, Yahoo issued a statement confirming that hackers infiltrated its systems in late 2014 and lifted account data tied to at least 500 million users. In its press release, Yahoo said that a recent investigation revealed that a copy of information “associated with at least 500 million user accounts” had been stolen from its network in late 2014 by what the company believed to be a “state-sponsored actor.” According to Yahoo, the stolen information includes names, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo does not believe that the stolen information includes unprotected passwords, payment card data, or bank account information, which are stored in a different system.
Yahoo is working closely with law enforcement on the matter, and there is no evidence that the state-sponsored hacker is still accessing Yahoo’s network. Yahoo is also in the process of notifying potentially affected users and has taken steps to secure their accounts. Yahoo asked users to change their passwords and to review their online accounts for suspicious activities, and to change passwords and security questions for any other accounts that may rely on the same or similar information as their Yahoo account.
Yahoo’s data breach may lead to stricter disclosure requirements for companies. U.S. Senator Mark Warner (D-VA), a member of the Senate Intelligence and Banking Committees and a cofounder of the bipartisan Senate Cybersecurity Caucus, and U.S. Senator Richard Blumenthal (D-CT) both released statements calling for Congress to enact relevant legislation.
Sen. Warner criticized Yahoo for not reporting suspicions of a breach sooner. He stated that, although the scale of the data breach was among the largest on record, he was “most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today.” While Yahoo has not disclosed when it first learned of the breach, available information suggests that it was uncovered as part of an ongoing internal investigation that began in August of this year. Sen. Warner called on the federal government to impose stricter disclosure requirements for companies. Companies are currently subject to a patchwork of state disclosure laws, but there is no federal standard for reporting breaches. “Action from Congress to create a uniform state breach notification standard so that consumers are notified in a much more timely manner is long overdue,” Sen. Warner said in his statement.
Sen. Blumenthal’s statement was even more critical of Yahoo. According to Sen. Blumenthal, “[i]f Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust.” Sen. Blumenthal also observed that this data “breach demonstrates the urgent need for Congress to enact data breach and security legislation – only stiffer enforcement and stringent penalties will make sure companies are properly and promptly notifying consumers when their data has been compromised.” Such criticism is being levied, however, before Yahoo has publicly disclosed all of the facts surrounding the incident.
Finally, some commentators are wondering whether Yahoo’s data breach may be the first to publicly derail a potential merger or acquisition. In July of this year, Verizon Wireless Inc. agreed to purchase Yahoo’s core business for $4.83 billion, but that transaction has not been completed. Although major data breaches have become a routine event for corporate America, in this instance, Sen. Blumenthal has called on law enforcement and regulators to “investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.”