Continuing the trend of uncovering details of major Yahoo breaches in SEC filings, the latest company Form 10-K...
reveals employees knew about the security incident in 2014, but didn't follow up.
To be clear, the investigation results disclosed do not pertain to the 2014 Yahoo security breach in which data from 500 million user accounts was stolen, nor to the 2013 Yahoo breach involving the theft of data from 1 billion user accounts. According to the filing, investigators still believe these two incidents are "distinct."
However, the independent committee determined Yahoo's "information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016." Additionally, the investigation found that senior executives and legal staff were aware of the Yahoo security breach as of "late 2014."
"The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team," Yahoo wrote in the Securities and Exchange Commission (SEC) filing.
"Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users, but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team."
Ultimately, the affected users were not notified of the Yahoo security breach until September 2016 -- two years after the incident. The committee concluded there was no "intentional suppression of relevant information," but placed the blame for there being no further investigation at the time on the legal team.
"The 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident," Yahoo wrote. "The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident."
Following the release of Yahoo's Form 10-K filing, Ron Bell, general counsel and corporate secretary at Yahoo since 2012, offered his resignation. Although, many on Twitter, including Sue Glueck, academic relations director for Microsoft, and Ash Patel, former executive vice president at Yahoo, claimed Bell was a scapegoat and said the blame should fall with Yahoo CEO Marissa Mayer.
For her part in the matter, Mayer wrote in a blog post that because she was CEO when the Yahoo security breach occurred, she has declined her annual bonus and annual equity grant this year. She has also "expressed [her] desire that [her] bonus be redistributed to our company's hardworking employees, who contributed so much to Yahoo's success in 2016."
More Yahoo accounts breached
The fallout regarding the revelation of the 2014 Yahoo security breach wasn't the only new information in the SEC filing. There was also new information regarding the creation of forged cookies, which Yahoo originally disclosed in November 2016.
"Based on the investigation, we believe an unauthorized third party accessed the Company's proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016," Yahoo wrote. "We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company, so they cannot be used to access user accounts."
Terry Ray, chief product strategist at Imperva, a cybersecurity software company based in Redwood Shores, Calif., said it may be "easy to villainize a company" for a data leak, but preventing this kind of forged-cookie attack is harder than some might think.
"The sad, unfortunate truth about web applications is that most of them are not patched when they should be. Almost all of them have components that rarely, if ever, get patched, and cookie attacks don't get the same level [of] attention as more common attacks, like SQL injection and cross-site scripting," Ray told SearchSecurity. "I don't know what security controls Yahoo had in place protecting their web applications beyond standard coding practices, but they should have at least had a web application firewall capable of detecting cookie injection, unknown cookies and forged cookies."
Michael Patterson, CEO of Plixer International Inc., a network security software company based in Kennebunk, Maine, said the Yahoo security breach should drive a discussion regarding a "punitive process for companies that fail to properly disclose when customer data has been compromised."
"Yahoo, under the leadership of Marissa Mayer, has negotiated a $5 billion sale to Verizon, while only paying $350 million in damages. It could be surmised that if the Yahoo breach had been disclosed prior to the Verizon deal, the sale price would have been impacted by far more than the $350 million in damages paid," Patterson told SearchSecurity. "The lack of greater penalty is essentially an incentive for companies not to publicly disclose security breaches. Unfortunately, in this case, the customers whose data was stolen will pay a bigger price than the company that failed to properly protect that data."
Learn more about the SEC investigation into the Yahoo breach disclosures.
Find out why security breaches are inevitable, but the impact is not.
Get info on the lawsuits surrounding the Yahoo breach.