Some Yahoo Employees Aware of 2014 Breach, Company Admits

Yahoo Logo AH4

A Cybersecurity breach does not discriminate its victims, and even large tech companies are falling prey to attacks. One such company is Yahoo, which suffered a massive data breach in 2014 that compromised at least half a billion user accounts. While it can take months or years before a company detects a cyber breach, as modern hackers use sophisticated tools to remain obscure for a long period, a new Securities and Exchange filing reveals some Yahoo employees were aware of the hacking incident at the company back then.

Yahoo admitted in its 10-k form filed with the SEC on Wednesday that it had detected a state-sponsored breach to its network two years ago. The company said in its filing that an independent committee has launched an investigation into the breach, probing how many employees knew of the unauthorized access to Yahoo’s network back in 2014 and the years that followed. Compromised user data included email addresses, telephone numbers, birth dates, passwords, and other security-related information. The latest SEC filing reveals more than that. Yahoo admitted that state-sponsored hackers used cookie forgery to keep their access to the users’ email accounts. The method involves a technique to bypass password security measures, though at present Yahoo assured users that its Yahoo Mail service is safe from the cookie forgery attack.

The breach came out in the open in August when an infamous hacker going by the name ‘Peace’ reportedly sold at least 200 million Yahoo accounts. Yahoo later dismissed the report as baseless, though it looked into the issue and found that the report was in fact just the tip of the iceberg. As a result of the breach, Yahoo paid $1 million in breach-related liabilities and faced dozens of class action suits.


Ongoing disclosures of the data breach are threatening to jeopardize the acquisition talks between Yahoo and Verizon. The carrier plans to buy the search engine company for $4.8 billion. While Yahoo has yet to determine the real scope of access regarding user information, the incident has a serious implication not only to the hundreds of millions of users but also to the company’s security practice in general.