Documents filed by Yahoo yesterday with the US Securities and Exchange Commission (SEC) reveal that at least some Yahoo employees knew since 2014 of the massive security incident through which an unknown attacker stole details of 500 million users.
The documents filed with the SEC are part of Yahoo's quarterly Form 10-Q filings regarding the company's financial earnings, but they also contain a section with details about the recent data breach, which the company announced on September 22.
In its September 2016 announcement, Yahoo said that it started the investigation into the data breach only after a hacker claimed to have hacked the company and put up Yahoo user records on sale online in late July 2016.
While Yahoo said the hacker's claims couldn't be verified, it discovered traces of an older cyber-attack that took place in late 2014, following which an intruder stole the details of over 500 million Yahoo users.
The SEC filing reveals that Yahoo knew of the breach in 2014, when it happened. Who knew is still up for debate, and it may be possible that upper management was never notified of the incident.
With a very convoluted leadership structure, it may be possible that Yahoo's top management never knew of the security incident's true depth, and that's why the company never initiated a password reset in 2014.
This failure in the company's management structure doesn't absolve Yahoo of any blame, but actually makes the company look more inept.
From the SEC filing:
Furthermore, the Yahoo SEC filing also contains clues about what the attacker did with the stolen user data:
The above paragraph also explains why the company thinks the attack was state-sponsored, and not a lonely hacker, as it was the case with the LinkedIn and Dropbox hacks, for which US authorities arrested Yevgeniy Nikulin, 29, a Russian national, currently awaiting extradition to the US in the Czech Republic.
Cookie hijacking (or session hijacking) is a technique through which an attacker fakes local cookies to assume the identity of another user and fake active sessions. This allows the attacker to access the user's account without entering a password.
Despite the discovery that someone might have used this technique to access the accounts of "certain" Yahoo users, the technique is known to many infosec professionals, and isn't necessarily employed by state-sponsored attackers only, not being enough to substantiate Yahoo's claims of a state-sponsored attack.
Since this was a SEC filing, the company also detailed some of its financial costs associated with the security breach. Until now, the company has spent only $1 million, which is a very small sum, when compared to the average cost of a data breach, which is $4 million.
Nevertheless, this number will go app, as the 10-Q report also revealed that several parties have filed 23 class-action lawsuits in relation to the data breach, following Yahoo's September announcement.