What did Yahoo executives know about multiple data breaches and attacks that the company suffered, and when did they know it?
Those questions have continued to dog Yahoo as it negotiates its sale to Verizon for $4.5 billion. That's $350 million less than the offer Verizon made last summer, before Yahoo last year revealed that it had discovered - or failed to appreciate the full extent of - massive breaches.
"We are keeping an eye out for signs of support for a national breach notification law."
Here's a brief timeline of Yahoo's related breach notifications:
- Sept. 22, 2016: Yahoo reports that a late-2014 breach affected 500 million or more users. Yahoo says it learned about the breach in 2016 from law enforcement agencies, and attributes it to a state-sponsored actor, although one security firm says it has evidence that mercenaries were involved instead.
- Nov. 9, 2016: In a Securities and Exchange Commission filing, Yahoo warns that it's investigating if attackers used forged cookies to access users' accounts without authorization, and says law enforcement has shared a set of purporting Yahoo user data that it recovered during an investigation.
- Dec. 14, 2016: Yahoo says a breach, believed to date from August 2013, compromised 1 billion user accounts, which is confirmed with the help of law enforcement agencies. Yahoo also confirms that the cookie-forging attacks did occur and says it appears to be the work of the attack group - supposedly state-sponsored - that it identified in its September 2016 warning.
- Feb. 15: Yahoo warns more users that they may have been targeted via the forged cookie attacks that the company flagged in its December disclosure.
Yahoo last month promised to brief U.S. Senate staffers on the latest information relating to the 2013 breach, including details of 2015 and 2016 cookie-forging attacks that allowed attackers to access some users' accounts without a password. But at the end of January - apparently with more cookie-forging attack details coming to light - Yahoo abruptly canceled its briefing.
Cue blowback from senators. On Feb. 10, Sen. John Thune, R-S.D., chairman of the Senate Committee on Commerce, Science and Transportation, and Sen. Jerry Moran, R-Kan., chairman of the committee's subcommittee on data security, wrote to Yahoo CEO Marissa Mayer, demanding answers to numerous breach-related questions, including a detailed timeline listing when breaches were discovered, law enforcement agencies alerted and affected consumers notified. Moran set a deadline of Feb. 23 for the responses.
On Feb. 23, April Boyd, Yahoo's head of global public policy, responded to the committee, saying that "in the spirit of cooperation," Yahoo would answer the committee's questions. She noted that the company, reflecting public statements that it's made, continues to investigate the breaches with the help of two outside digital forensic investigation firms - Stroz Friedberg and Mandiant.
And she said that during the current management team's tenure, the company has invested $250 million "in security initiatives ... including creating a 'Red Team' and developing the 'Bug Bounty' program" (see How Yahoo Hacks Itself).
Yahoo Dishes Out Breach Details
Yahoo's answers largely rehash what the search giant had already revealed via press releases and SEC filings.
The company says it believes that "a majority of the user accounts that were affected by the 2014 [security] incident ... [were] affected by the 2013 incident." But given that the 2013 breach may have compromised 1 billion accounts - or nearly all of Yahoo's user base - that's not exactly a shocking finding.
Yahoo also said that in September and December of last year, it required any users who had not changed their password since 2014 to do so, and also invalidated all security questions that it had been storing in unencrypted format, which it believes attackers also stole.
Boyd emphasized that Yahoo, which is publicly traded, had disclosed many of these details relating to its breach response and findings via quarterly updates to the SEC.
She also detailed a number of information security initiatives that the company has undertaken, such as providing users with a view of all devices and browsers that have been used to access their account, providing a "global logout" capability, hashing passwords using the bcrypt algorithm - plus salt, and continuing to refine authentication mechanisms, for example via OAuth as well as by "leveraging fingerprint-based authentication on certain smartphones."
Boyd also promised that Yahoo would be providing briefings to senators' staff.
Late last year, the SEC reportedly launched its own investigation into Yahoo and whether the company issued timely enough warnings about the breaches to investors.
National Breach Notification Deficit
One elephant in the room with Yahoo's back and forth with senators - or the SEC's investigation - is that details of the search giant's data breaches haven't come to light thanks to any national breach-notification rules in the United States, but rather state-level laws.
Some 47 states - plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands - have breach notification laws on their books. Only Alabama, New Mexico and South Dakota have no laws relating to consumer breach notification.
Despite Congress debating a federal breach notification mandate for over a decade, it has failed to pass such a measure. One concern has been that some proposed bills would have put in place relatively weak requirements, meaning that breached organizations would then have to comply not just with the national law, but also any state laws mandating stronger notification requirements.
"We are keeping an eye out for signs of support for a national breach notification law," write privacy attorneys Cynthia J. Larose and Michael B. Katz of law firm Mintz Levin, in a recent blog post. "So far, there does not appear to be much political motivation for undertaking this effort."
In 2016, they say, 26 states weighed bills that revised their already existing breach notification processes, and five states passed related legislation. In multiple cases, legislation has expanded the definition of what constitutes "personal information," for example "to include medical, insurance or biometric data," Larose and Katz write.
One especially notable change occurred in California. As of Jan. 1, the attorneys say, the state's breach law will now "require disclosure to affected residents - and to the Attorney General if more than 500 Californians are affected - when encrypted personal data is acquired by an unauthorized person together with an encryption key or security credential that could render the personal data readable or useable."
Meanwhile, Europe has enacted the General Data Protection Regulation, which will begin to be enforced in May 2018. GDPR requires any breached organization, anywhere in the world - including the United States - to alert any affected consumers in Europe about breaches.
This story has been updated with additional detail about Yahoo's breach-notification timeline.