Here’s Yahoo saying it was hacked earlier and it is being sued 23 times for the breach

Security Incident

Description of Event

On September 22, 2016, we disclosed that, based on an ongoing investigation, a copy of certain user account information for at least 500 million user accounts was stolen from Yahoo’s network in late 2014 (the “Security Incident”). We believe the user account information was stolen by a state-sponsored actor. The user account information taken included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. Our investigation to date indicates that the stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation found to be affected. Based on the investigation to date, we do not have evidence that the state-sponsored actor is currently in or accessing the Company’s network.


In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders.

The Company, with the assistance of outside forensic experts, continues to investigate the Security Incident and related matters. The Company is actively working with U.S. law enforcement authorities on this matter.

As described above, the Company had identified that a state-sponsored actor had access to the Company’s network in late 2014. An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.

In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.

Separately, on November 7, 2016, law enforcement authorities began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data. Yahoo will, with the assistance of its forensic experts, analyze and investigate the hacker’s claim that the data is Yahoo user account data.

Current and Future Expenses and Losses

We recorded expenses of $1 million related to the Security Incident in the quarter ended September 30, 2016. The Security Incident did not have a material adverse impact on our business, cash flows, financial condition, or results of operations for the quarter ended September 30, 2016. However, we have subsequently incurred expenses related to the

Security Incident to investigate and take remedial actions to notify and protect our users, and expect to continue to incur investigatory, legal, and other expenses associated with the Security Incident in the foreseeable future. We will recognize and include these expenses as part of our operating expenses as they are incurred. The Company does not have cybersecurity liability insurance.

Litigation, Claims, and Governmental Investigations

To date, 23 putative consumer class action lawsuits have been filed against the Company in U.S. federal and state courts, and in foreign courts relating to the Security Incident. The plaintiffs, who purport to represent various classes of users, generally claim to have been harmed by the Company’s alleged actions and/or omissions in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages or other related relief. Additional lawsuits and claims related to the Security Incident may be asserted by or on behalf of users, partners, shareholders, or others seeking damages or other related relief.

In addition, the Company is cooperating with federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incident and related matters, including the U.S. Federal Trade Commission, the U.S. Securities and Exchange Commission, a number of State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York.

Previous Post
Next Post