- Stephen Lam/Getty Images
Yahoo gave Verizon just two days notice before the public knew it had been breached in a massive hack, despite it investigating since August that at least 200 million of its users’ credentials were being sold on a dark web marketplace.
On Thursday, Yahoo confirmed the breach was much worse, saying that “at least” 500 million user accounts were stolen by a “state-sponsored” attacker. The company notified Verizon, which agreed in July to purchase Yahoo for nearly $5 billion, on Tuesday.
A few days after Verizon and Yahoo agreed to the $4.8 billion deal, Motherboard’s Joseph Cox reached out to Yahoo with questions regarding a listing for account credentials on a dark web marketplace. A spokesperson didn’t deny they were legitimate, and told Cox it was “aware of a claim.”
According to Yahoo’s press release, it opened an investigation into the matter and confirmed the breach to the general public 52 days later.
The data being sold on the dark web in August was not found to be from Yahoo’s own systems, according to The New York Times. But during the course of its investigation, it did find a serious breach that resulted in the much larger cache of 500 million credentials having been exposed.
A person familiar with the matter told Business Insider the company had “a high degree of confidence” the theft was carried out by a state-sponsored actor, though the source declined to say which state. The source said the hack occurred sometime in 2014.
It’s unclear when Yahoo made that discovery, and users were not notified until Thursday. Though it is clear that Verizon did not get special treatment, with just a two-day heads-up on the hack – which sent Yahoo’s stock down from $44 to $43 after the news broke.
The incident is one of “a number of previous incidents that were not managed swiftly by CEO Marissa Mayer,” according to internal sources who spoke with Recode. One executive told Recode that the former head of information security tried unsuccessfully to have top management respond more strongly to such security incidents.
This story has been updated with additional information reported on the August dataset of 200 million users and the legitimate dataset found affecting 500 million.