Yahoo Knew About Giant Hack As Early As 2014

Image courtesy of Yahoo

Back in September, Yahoo was forced to admit that it had suffered a security breach — a big one. A “whoops, there goes 500 million users’ data” one. Since then, both the public and potential acquirer Verizon have been asking: what did Yahoo know, and when did they know it? And the answer now seems to be: not as much as they should have, but way earlier than they said.

Fortune points to a filing Yahoo made with the Securities and Exchange Commission this week.

The form includes a description of the “Security Incident” that the company disclosed in September — that one where a half-Billion users’ data was accessed.

At the time, Yahoo said that the data was stolen in 2014, and that the company suspected a state-sponsored actor. That’s not new. What is new is the disclosure that someone, somewhere inside Yahoo knew about it way back in 2014.

“The Company had identified that a state-sponsored actor had access to the Company’s network in late 2014,” Yahoo wrote.

“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.”

In other words, Yahoo is still investigating how many people inside the company knew there was a data breach, and what they did with that information — but someone sure seems to have.

A source with knowledge of the company told Fortune that although the when was known, the scope still startled them, saying, “It wasn’t until this most recent intensification of the investigation that really gave the full scope of what occurred.”

That seems like news that will particularly interest Verizon, which agreed in July to purchase Yahoo for $4.8 billion. That price tag, however, has been looking increasingly too steep for the damaged goods.

In October, Verizon was reportedly trying to knock that purchase price down to $3.8 billion instead — roughly a 20% discount, give or take a few hundred million dollars.

Verizon can also choose to back out of the deal altogether if it’s determined that Yahoo actually did know about the breach when its executives signed the merger documents, because those contracts say that to the best of their knowledge, there hadn’t been any.

Verizon, however, has not yet come to any firm conclusions about how to handle this whole Yahoo thing, a spokesperson confirmed to Fortune.

Yahoo Knew About the Breach in 2014 [Fortune]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.