14 DAY TRIAL // In a rather nasty turn of events, it seems that Yahoo senior executives were aware of the 2014 data breach since the late months of that very year, but failed to properly comprehend what was happening, in a clear sign of incompetence.
This is perhaps the most face-palm moment ever for Yahoo, who already had a sketchy history of dealing with security problems. In a security filing, the company admits that following an investigation, the Independent Committee concluded that the company's information security team had knowledge of the compromise of user accounts when it happened.
Not only did they know about the 2014 incident when it happened, but they also knew about the cookie forging incident that followed in 2015 and 2016 which involved the same attacker. This only shows that they did absolutely nothing they should have done to protect the users.
"In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team," reads the filing.
More specifically, as of December 2014, the information security team knew the attacker managed to exfiltrate copies of user database backup files containing personal data of Yahoo users. It is unclear to the investigation team just how much of this whole incident was understood beyond the security team that handled the problem.
They knew and said nothing
According to the filing, the Committee found that the legal team had sufficient information to warrant substantial further inquiry back in 2014, but they did not sufficiently pursue it. For the record, this is the incident that exposed 500 million user accounts.
"The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters," the file reads. Considering that the incident was not disclosed until September 2016, we'd say that's an understatement.
As a result of this issue, Marissa Mayer will not get her cash bonus for 2016 and chose to forgo any 2017 annual equity award given that the entire incident occurred during her tenure.
The 2014 incident
The 2014 data breach exposed half a billion user accounts, including names, email addresses, phone numbers, dates of birth, bycrypt hashed passwords, encrypted or unencrypted security questions and answers. The information was only shared with users in September 2016. This catastrophic security breach was believed to be the worst that could happen until, in December, Yahoo revealed that in 2013 another breach affected 1 billion accounts.