Yahoo Hack: Senators Call on CEO Marissa Mayer to Explain Why It Took Two Years to Report Massive Breach

Marissa Mayer Yahoo
AP Photo/Eric Risberg, File

Six Democratic U.S. senators sent a letter to Yahoo CEO Marissa Mayer asking for more details on the hack in which data on more than 500 million user accounts was stolen and saying it was “unacceptable” that it took the internet company the two years to report the attack.

In the Sept. 27 letter, Sens. Ed Markey (D-Mass.), Patrick Leahy (D-Vt.) and four other Senators requested that the company provide a timeline of the hack, including when law enforcement and users were notified, as well as info on how widespread the hack is and what Yahoo is doing to prevent such a hack in the future. The breach is believed to be the largest-ever single theft of user data.

The lawmakers said they were “disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans’ data may have been compromised for two years. This is unacceptable.”

A Yahoo rep said in an emailed statement, “We have received the letter and will work to respond in a timely and appropriate manner.”

Mayer has known since July about the company’s investigation into allegations of a major security breach, the Financial Times reported last week, citing an anonymous source.

The company, which reached a deal in July to sell its core web businesses to Verizon for $4.8 billion, last week said a “state-sponsored actor” broke in Yahoo’s network in late 2014 and stole usersnames, hashed passwords, and other personal info for at least 500 million accounts worldwide. Yahoo has not provided an explanation for why it has taken two years to report the incident, nor did it identify the country it believes was behind the attack.

“The stolen data included usernames, passwords, email addresses, telephone numbers, dates of birth, and security questions and answers,” the senators wrote in the letter to Mayer. “This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles.”

In addition to Leahy and Markey, the letter was signed by Sens. Al Franken (D-Minn.), Elizabeth Warren (D-Mass.), Richard Blumenthal (D-Conn.) and Ron Wyden (D-Ore.). The inquiry comes a day after Sen. Mark Warner (D-Va.) asked the Securities and Exchange Commission to investigate whether Yahoo and its senior executives “fulfilled their obligations” under federal securities laws to inform the public and investors about the security breach.

According to Verizon, Yahoo informed the telco of the scope of the breach two days before Yahoo announced the incident on Sept. 22. Yahoo said in a Sept. 9 proxy statement filed with SEC that “there have not been any incidents of, or third-party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems or (ii) loss, theft, unauthorized access or acquisition, modification, disclosure, corruption, or other misuse of any Personal Data” in its possession.

Experts say Yahoo’s costs associated with the security breach will run into the tens of millions of dollars, and could lead Verizon to renegotiate or void its proposed acquisition. The security breach has already spawned several proposed class-action lawsuits by users.

Yahoo has recommended that users who haven’t changed their passwords since 2014 do so, and the company said it was working with law-enforcement officials to investigate the incident. According to the company, based on what it has learned so far, none of the stolen information included unprotected passwords, payment-card data, or bank-account information.