Yahoo sued over hack, questions over incident handling
Struggling internet giant Yahoo is being sued over negligence due to its handling of private data of users, while questions have arisen whether the company had known about the massive data breach much longer than claimed.
On Thursday last week, Yahoo disclosed that the data of 500 million of its users - including encrypted passwords, email addresses, telephone numbers, dates of birth and unencrypted security questions - had been stolen by unidentified state-sponsored hackers in 2014.
Yahoo said it only learned about the breach, which has been described as the largest to date, a few weeks ago while investigating reports of another hack.
However, the Financial Times reported that Yahoo Chief Executive Officer Marissa Mayer knew of a major breach already in July, citing a person briefed on the matter. It was however not clear, whether it really was this incident Mayer was aware off or a separate hack related to claims of an attacker know as Peace who was bragging on the dark web this summer about selling millions of Yahoo credentials.
"Yahoo has never had reason to believe there is any connection between the security issue disclosed yesterday and the claims publicised by a hacker in August 2016. Conflating the two events is inaccurate," a Yahoo spokesperson told Reuters.
Sources familiar with the Yahoo investigation said that the company learned of the theft of data only after probing the claims made by Peace, which Yahoo determined were meritless, Reuters said.
Yahoo is currently trying to sell its internet business to Verizon Communications – a transaction that might be postponed or even abandoned if Verizon decides Yahoo’s value has diminished significantly as a result of the hack.
Some experts said Verizon may try to push down the price by at least a couple of hundred million dollars if users start leaving Yahoo in the wake of the revelations. The two firms agreed in July for Verizon to pay $4.83bn for Yahoo’s internet business.
Verizon said it only learned about the breach last week.
In a regulatory filing from 9 September, Yahoo stated it did not have knowledge of ‘any incidents of, or third party claims alleging ... unauthorized access’ of personal data of its customers that could have a material adverse effect on Verizon's acquisition.
"As law enforcement and regulators examine this incident, they should investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon," Richard Blumenthal, a Democratic senator from Connecticut, said.
On Friday, a Yahoo user whose credentials were among those stolen filed a law suit against Yahoo in a California federal court on behalf of all affected US Yahoo users. The question whether Yahoo knew about the breach earlier than claimed could have an impact on the litigations.