Euro Security Watch with Mathew J. Schwartz

Incident & Breach Response , Security Operations

Report: Justice Department Preps Yahoo Hack Indictments

To Which of Yahoo's Two Record-Setting Breaches Do Charges Relate?
Report: Justice Department Preps Yahoo Hack Indictments
Yahoo's headquarters in Sunnyvale, Calif. (Source: Yahoo)

(Editor's Note: See updated story: Russian Spies, Two Others, Indicted in Yahoo Hack.)

See Also: Breaking Free from VPN Limitations: Simplifying Remote Access Security

Numerous unanswered questions continue to surround two massive and separate data breaches that occurred at search giant Yahoo in 2013 and 2014. But some clarity may soon be forthcoming.

U.S. prosecutors are expected to issue indictments, charging four individuals with having been involved in hacking attacks against Sunnyvale, Calif.-based Yahoo, an unnamed person who's been briefed on the matter tells Bloomberg, which first reported the news.

Reuters reports that it has likewise confirmed the account with a source who's been briefed on the matter.

The Department of Justice and Yahoo couldn't be immediately reached for comment.

The indictments are expected to be announced on March 15, following the arrest on March 14 of one suspect in Canada, according to the news reports. Three other suspects are reportedly based in Russia, which has historically never extradited individuals who have been charged with a crime outside the country.

A Brief History of Yahoo's Breaches

It's not clear to which hack attacks the charges might relate. Yahoo suffered two massive breaches, and numerous details have continued to come to light in the past six months:

  • Sept. 22, 2016: Yahoo warns that a late-2014 breach affected 500 million or more users. The search giant said it learned about the breach from law enforcement agencies. It has attributed the breach to a state-sponsored actor, although at least one security firm says it believes the attack was instead the work of mercenaries.
  • Nov. 9, 2016: In a Securities and Exchange Commission filing, Yahoo said that it was investigating if the 2014 attackers then used forged cookies to access users' accounts without authorization. In recent weeks, investigators say cookies for 32 million user accounts appear to have been stolen or used by attackers in 2015 and 2016.
  • Dec. 14, 2016: Yahoo said that it had discovered a breach, which it believes occurred in August 2013, had compromised 1 billion accounts. It believes that breach is separate to the 2014 breach, and to date has revealed no information relating to the potential identity of the attackers.

Verizon Deal Delayed

In general, breached businesses suffer no long-term consequences. Aside from some hacked bitcoin exchanges that went out of business - as a result of losing all of their cryptocurrency - most hacked organizations and their stock prices soon recover.

Yahoo, however, had the misfortune to have discovered the 2013 breach, as well as the full extent of the 2014 breach, after Verizon offered to buy the struggling search giant for $4.83 billion in July 2016.

News of the breaches threatened to derail the deal, and ultimately trimmed $350 million off the purchase price.

Last year, Yahoo's board of directors launched an independent investigation into the 2014 breach, which the company had detected. The results of the inquiry found that while the company didn't ignore the breach, the senior management team and legal department failed to fully appreciate or investigate the incident. As a result of the investigation, Yahoo's lead attorney, Ronald S. Bell, resigned, and the board announced that it was denying Yahoo CEO Marissa Mayer a $2 million bonus and up to $12 million in equity awards.

Golden Parachute for CEO

The deal with Verizon, however, now looks set to close by the end of June, according to a March 13 proxy filing by Yahoo. It says that Mayer will be eligible for a $23 million golden parachute in the event that she doesn't get hired by Verizon after it acquires Yahoo's search and other related properties. What's left of Yahoo will be named Altaba, and Mayer will not be on its board or management team.

Yahoo now faces more than 40 class-action lawsuits filed in the United States and abroad, and says it's assisting with related investigations being run by the Securities and Exchange Commission, Federal Trade Commission, the Manhattan U.S. Attorney's Office, as well as two state attorneys general.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.