Yahoo has admitted that selected staff members knew about the attack in which details of around 500 million users were leaked shortly after it happened, despite the company waiting two years to alert its users to the issue.
Yahoo alerted its users to what it claimed without publicly-provided supporting evidence was a 'state-sponsored
' attack on its servers back in September
, two years after the breach had taken place. Initially, that was easily excusable: it's entirely possible that the attacker sat on the information gained, which included personal details and hashed passwords for 500 million Yahoo accounts, and the breach only came to light when the attacker went public with the data in some way.
Unfortunately for Yahoo, that does not appear to be the case. According to a Financial Times
analysis of the company's most recent filings with the US Securities & Exchange Commission (SEC), Yahoo has confirmed that staff members knew about the attack shortly after it first happened in 2014 but failed to alert customers to the issue due to a lack of understanding of the breach's scope. The filing also raised the concern, under investigation by an external specialist forensic company, that the attacker may have also discovered a means of accessing Yahoo customer accounts without needing a password, rendering the company's two-year-delayed response of forcing password changes on its users moot.
The revelations contained in the SEC filing are only the latest in a string of bad news for Yahoo, which has seen a deal to be acquired by Verizon derailed
over concerns of a drop in value and claims the company inserted an insecure backdoor into its email infrastructure
at the request of the US security services and without the knowledge of its chief information security officer.