WASHINGTON, Sept 23 Yahoo on Friday
faced pointed questions about exactly when it knew about a cyber
attack that exposed the email credentials of 500 million users,
a critical issue for the company as it seeks to prevent the
breach from affecting a pending takeover by Verizon Inc.
The internet company has so far not provided a clear,
detailed timeline about when it was made aware of the breach
announced Thursday. Yahoo blamed the incident on a
"state-sponsored actor" but has not provided any technical
information supporting that claim.
"We don't know a lot. We don't know how the bad guys broke
in. We don't know when Yahoo first found out," said Jeremiah
Grossman, chief of security strategy for SentinelOne and a
former information security officer at Yahoo.
In a Sept. 9 regulatory filing with the Securities and
Exchange Commission, Yahoo stated it did not have knowledge of
"any incidents of, or third party claims alleging ...
unauthorized access" of personal data of its customers that
could have a material adverse effect on Verizon's acquisition.
Verizon agreed in July to pay $4.83 billion for Yahoo's core
business. If the hacking prompts customers to leave Yahoo, the
company may see its value erode.
Some lawmakers swiftly called for close scrutiny of what the
company knew and when.
"As law enforcement and regulators examine this incident,
they should investigate whether Yahoo may have concealed its
knowledge of this breach in order to artificially bolster its
valuation in its pending acquisition by Verizon," Richard
Blumenthal, a Democratic senator from Connecticut, said.
Verizon declined to comment on how the breach might affect
the deal. Sources familiar with the transaction say Verizon and
its advisers are still examining the situation before
determining what actions if any might be taken.
The Financial Times reported Thursday that embattled Yahoo
Chief Executive Officer Marissa Mayer knew of the breach in
July, citing a person briefed on the matter. Yahoo declined to
comment on Friday when asked about Mayer's knowledge of the
investigation. (on.ft.com/2daTJ4s)
The FT article did not specify if Mayer was aware of the
hack announced Thursday or of a separate incident, in which a
hacker calling himself Peace took to the dark web this summer to
claim he was selling hundreds of millions of Yahoo credentials.
Sources familiar with the Yahoo investigation said that the
company learned of the theft of data - which included encrypted
passwords, names and emails but not banking information - only
after probing the claims made by Peace, which Yahoo determined
were meritless.
Joseph Cox, a reporter with the technology news site
Motherboard, said he emailed Yahoo on July 30 to ask if the
company was aware that Peace was attempting to sell Yahoo data.
Motherboard published a story on Aug. 1 stating Yahoo was
"aware" of the hacker's claims.
