(Editor's Note: See updated story: Russian Spies, Two Others, Indicted in Yahoo Hack.)
See Also: Threat Intelligence - Hype or Hope?
Numerous unanswered questions continue to surround two massive and separate data breaches that occurred at search giant Yahoo in 2013 and 2014. But some clarity may soon be forthcoming.
U.S. prosecutors are expected to issue indictments, charging four individuals with having been involved in hacking attacks against Sunnyvale, Calif.-based Yahoo, an unnamed person who's been briefed on the matter tells Bloomberg, which first reported the news.
Reuters reports that it has likewise confirmed the account with a source who's been briefed on the matter.
The Department of Justice and Yahoo couldn't be immediately reached for comment.
The indictments are expected to be announced on March 15, following the arrest on March 14 of one suspect in Canada, according to the news reports. Three other suspects are reportedly based in Russia, which has historically never extradited individuals who have been charged with a crime outside the country.
A Brief History of Yahoo's Breaches
It's not clear to which hack attacks the charges might relate. Yahoo suffered two massive breaches, and numerous details have continued to come to light in the past six months:
- Sept. 22, 2016: Yahoo warns that a late-2014 breach affected 500 million or more users. The search giant said it learned about the breach from law enforcement agencies. It has attributed the breach to a state-sponsored actor, although at least one security firm says it believes the attack was instead the work of mercenaries.
- Nov. 9, 2016: In a Securities and Exchange Commission filing, Yahoo said that it was investigating if the 2014 attackers then used forged cookies to access users' accounts without authorization. In recent weeks, investigators say cookies for 32 million user accounts appear to have been stolen or used by attackers in 2015 and 2016.
- Dec. 14, 2016: Yahoo said that it had discovered a breach, which it believes occurred in August 2013, had compromised 1 billion accounts. It believes that breach is separate to the 2014 breach, and to date has revealed no information relating to the potential identity of the attackers.
Verizon Deal Delayed
In general, breached businesses suffer no long-term consequences. Aside from some hacked bitcoin exchanges that went out of business - as a result of losing all of their cryptocurrency - most hacked organizations and their stock prices soon recover.
Yahoo, however, had the misfortune to have discovered the 2013 breach, as well as the full extent of the 2014 breach, after Verizon offered to buy the struggling search giant for $4.83 billion in July 2016.
News of the breaches threatened to derail the deal, and ultimately trimmed $350 million off the purchase price.
Last year, Yahoo's board of directors launched an independent investigation into the 2014 breach, which the company had detected. The results of the inquiry found that while the company didn't ignore the breach, the senior management team and legal department failed to fully appreciate or investigate the incident. As a result of the investigation, Yahoo's lead attorney, Ronald S. Bell, resigned, and the board announced that it was denying Yahoo CEO Marissa Mayer a $2 million bonus and up to $12 million in equity awards.
Golden Parachute for CEO
The deal with Verizon, however, now looks set to close by the end of June, according to a March 13 proxy filing by Yahoo. It says that Mayer will be eligible for a $23 million golden parachute in the event that she doesn't get hired by Verizon after it acquires Yahoo's search and other related properties. What's left of Yahoo will be named Altaba, and Mayer will not be on its board or management team.
Yahoo now faces more than 40 class-action lawsuits filed in the United States and abroad, and says it's assisting with related investigations being run by the Securities and Exchange Commission, Federal Trade Commission, the Manhattan U.S. Attorney's Office, as well as two state attorneys general.