Yahoo admits it knew about huge data breach in 2014, two years before it became public

Tech company had previously claimed it only "recently" found out about the leak of 500m user's personal information

Ben Chapman
Thursday 10 November 2016 18:33
Yahoo has been rocked by two of the biggest hacks of all time
Yahoo has been rocked by two of the biggest hacks of all time

After months of speculation, Yahoo has finally admitted it knew about a massive data breach as far back as 2014.

The tech company had previously claimed it only "recently" found out about the leak of 500 million users accounts. Independent experts are now investigating exactly how much was known and by whom, Yahoo said.

They are looking at evidence that indicates a “state-sponsored actor” breached Yahoo’s system and could have gained user data by creating “cookies” that bypassed password protection, the company said in a regulatory filing. Yahoo said it doesn’t believe it is currently possible for the attackers to forge valid Yahoo Mail cookies.

Verizon, which is in the process of buying Yahoo has said it could lower its $4bn purchase price, or even withdraw the bid altogether if more damaging information was revealed.

Verizon was only informed of the hack a week before it was publicly exposed in September, despite the fact Yahoo had known for two years.

“As a result of facts relating to the security incident [Verizon] may seek to terminate the stock purchase agreement or renegotiate the terms of the sale,” it said.

In further revelations, Yahoo said it is investigating a new claim that user account data was obtained by a hacker, the latest security challenge for the company as it prepares for the planned acquisition.

Police began sharing certain information on Monday that was provided by a hacker who claimed it was Yahoo user account data.

“It was a good day to bury the news,” Dr Joss Wright from the University of Oxford's Internet Institute told the BBC, referring to the fact that Yahoo's filing had coincided with Donald Trump winning the US election.

“Because there's rarely a large visible event when a breach happens, companies can choose not to report them hoping that they can fix the problem internally.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in