Yahoo detected evidence that a hacker had broken into its computer network at least 18 months before launching an investigation that discovered personal information had been stolen from about 500 million user accounts.
The timeline outlined in a regulatory filing raises further questions about why it took Yahoo so long to realize the severity of its security breakdown. It also could provide Verizon Communications with reason to revise or terminate its $4.8 billion deal to buy Yahoo’s online services.
- Why do people still use email — or at least not secure it?
- Verizon says Yahoo data breach had a ‘material’ impact
- Yahoo profit beats as emerging businesses shine
Yahoo disclosed the size of the breach seven weeks ago. At that time, Yahoo traced its findings to an inquiry opened in late July, around the same time that Verizon announced its agreement to buy Yahoo’s email service, digital advertising tools and sections devoted to news, sports, finance and entertainment.
Verizon says it wasn’t informed of the hacking attack until a few days before Yahoo told its users in late September.
In its regulatory filing late Wednesday, Yahoo acknowledged the company first became aware of the hack in late 2014. The Sunnyvale, California, company said its board is now investigating how much was known back in 2014.
Verizon declined to comment on Yahoo’s latest disclosure. The company’s executives have previously said Verizon is re-evaluating its deal with Yahoo because the breach could alienate a large swath of users who may rely on Yahoo’s email and other services less frequently in order to protect their privacy. If there is a user backlash, Yahoo’s services wouldn’t be worth as much to Verizon, which is counting on a large audience to sell more digital advertising.
Yahoo has sought to reassure its users that the hacker no longer has access to its computers. The company also has prompted users to change their passwords and security questions to protect their accounts.
In its regulatory filing, Yahoo Inc. also revealed that the hacker created computer coding known as “cookies” that would allow someone to view information in user accounts without the need for a password. The company also said it will analyze information turned over by the FBI from a hacker claiming it came from Yahoo accounts.