Yahoo admits employees discovered hack in 2014

Next Story

Five industries that should take a cue from Netflix and crowdsource parts of its tech

Yahoo admitted today that some of its employees were aware of the theft of 500 million users’ data as early as 2014 — years before Yahoo publicly acknowledged the hack.

The hack, which Yahoo has attributed to an unnamed “state-sponsored actor,” occurred in late 2014, and according to today’s filing with the Securities and Exchange Commission, it seems Yahoo detected it early on.

“In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014,” Yahoo said in the filing.

Yahoo also reported that 23 consumer class action lawsuits have been filed in response to the breach, but that it’s too early to estimate monetary damages. It estimates the hack has led to a loss of $1 million so far.

The question of when Yahoo learned of the breach is essential to its planned sale to Verizon. Verizon has reportedly asked for a $1 billion discount in light of the breach, which was not disclosed until after the September sale even though Yahoo CEO Marissa Mayer allegedly learned of the breach in July. (Disclosure: Verizon owns TechCrunch.)

In today’s filing, Yahoo says it has formed an independent committee to review “the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed.”

Senator Mark Warner has asked the SEC to investigate what Yahoo knew about the breach and when it knew it, citing an earlier Yahoo filing that claimed the company was not aware of any security breaches. “Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public,” Warner said in a statement.