The Washington PostDemocracy Dies in Darkness

Yahoo discovered hack leading to major data breach two years before it was disclosed

Ailing tech giant Yahoo may soon confirm a data breach affecting hundreds of millions of accounts, according to a report from tech site re/code. (Video: Jhaan Elker/The Washington Post)
Placeholder while article actions load

Yahoo discovered the hack that led to a data breach affecting more than a half billion accounts nearly two years before the attack was disclosed in September, according to documents filed with financial regulators Wednesday.

News of the breach broke as Yahoo was finalizing a deal to sell off its core business to Verizon. That deal may now be under threat, Yahoo acknowledged for the first time in a filing with the Securities and Exchange Commission.

Yahoo noticed the infiltration, which it claims was carried out by state-backed hackers, shortly after it occurred in late 2014, according to the regulatory filing. However, the company did not understand the extent of the attack until a claim by a hacker in July to have obtained vast amounts of Yahoo user data led to a review, the document suggested.

The company had brought in outside forensics experts who were unable to substantiate the claims made in July, according to the filing.

A “more complete picture” of the 2014 attack that emerged during an examination following the July claims led to the September disclosure, a person familiar with the matter told The Post.

When the data breach was first disclosed, Yahoo only described its discovery as the result of a “recent investigation.” However, there was speculation among industry observers about how long the company knew about the hack.

A Wall Street Journal story in September that cited an unnamed source reported that state-sponsored hackers broke into Yahoo's systems in fall 2014 — although it stopped short of linking the attack to the data breach.

In the filing, Yahoo says its investigation into the breach is ongoing and that it's working with law enforcement agencies and regulators on the issue. The company is now investigating evidence that the hackers behind the 2014 breach found a way to access certain users’ accounts without their passwords, the filing said.

The filing also revealed that Yahoo has created an independent committee being advised by “independent counsel and a forensic expert” to investigate how widespread knowledge of the hack was within the company in 2014.

In a section listing risks to the Verizon deal, Yahoo said the telecom giant may seek to renegotiate or call off the agreement because of the breach.

Verizon has already raised concerns about the hack. In an October call with investors, the telecom giant’s chief financial officer, Fran Shammo, said it the company had to “assume” the breach would have a material impact on Yahoo. If it does, that offers Verizon a way out of the agreement.

“We’re still evaluating the situation and haven’t reached any final conclusions,” Verizon's chief communications officer, Jim Gerace, told The Post in an email.

In the SEC filing, Yahoo said it recorded $1 million worth of expenses related to the breach in the fiscal quarter that ended on Sept. 30, but those expenses “did not have a material adverse impact” in that period.

However, the company also acknowledged it has incurred further expenses related to hack since then.