Yahoo Logo

Documents filed by Yahoo yesterday with the US Securities and Exchange Commission (SEC) reveal that at least some Yahoo employees knew since 2014 of the massive security incident through which an unknown attacker stole details of 500 million users.

The documents filed with the SEC are part of Yahoo's quarterly Form 10-Q filings regarding the company's financial earnings, but they also contain a section with details about the recent data breach, which the company announced on September 22.

In its September 2016 announcement, Yahoo said that it started the investigation into the data breach only after a hacker claimed to have hacked the company and put up Yahoo user records on sale online in late July 2016.

Yahoo knew of the breach since 2014, not 2016

While Yahoo said the hacker's claims couldn't be verified, it discovered traces of an older cyber-attack that took place in late 2014, following which an intruder stole the details of over 500 million Yahoo users.

The SEC filing reveals that Yahoo knew of the breach in 2014, when it happened. Who knew is still up for debate, and it may be possible that upper management was never notified of the incident.

With a very convoluted leadership structure, it may be possible that Yahoo's top management never knew of the security incident's true depth, and that's why the company never initiated a password reset in 2014.

This failure in the company's management structure doesn't absolve Yahoo of any blame, but actually makes the company look more inept.

From the SEC filing:

In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014.

Yahoo hackers accessed some user accounts

Furthermore, the Yahoo SEC filing also contains clues about what the attacker did with the stolen user data:

[T]he forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.

The above paragraph also explains why the company thinks the attack was state-sponsored, and not a lonely hacker, as it was the case with the LinkedIn and Dropbox hacks, for which US authorities arrested Yevgeniy Nikulin, 29, a Russian national, currently awaiting extradition to the US in the Czech Republic.

Cookie hijacking (or session hijacking) is a technique through which an attacker fakes local cookies to assume the identity of another user and fake active sessions. This allows the attacker to access the user's account without entering a password.

Despite the discovery that someone might have used this technique to access the accounts of "certain" Yahoo users, the technique is known to many infosec professionals, and isn't necessarily employed by state-sponsored attackers only, not being enough to substantiate Yahoo's claims of a state-sponsored attack.

Yahoo facing 23 class-action lawsuites following massive data breach

Since this was a SEC filing, the company also detailed some of its financial costs associated with the security breach. Until now, the company has spent only $1 million, which is a very small sum, when compared to the average cost of a data breach, which is $4 million.

Nevertheless, this number will go app, as the 10-Q report also revealed that several parties have filed 23 class-action lawsuits in relation to the data breach, following Yahoo's September announcement.

We recorded expenses of $1 million related to the Security Incident in the quarter ended September 30, 2016. The Security Incident did not have a material adverse impact on our business, cash flows, financial condition, or results of operations for the quarter ended September 30, 2016. However, we have subsequently incurred expenses related to the Security Incident to investigate and take remedial actions to notify and protect our users, and expect to continue to incur investigatory, legal, and other expenses associated with the Security Incident in the foreseeable future. We will recognize and include these expenses as part of our operating expenses as they are incurred. The Company does not have cybersecurity liability insurance.