Yahoo will be probed by the United States Securities and Exchange Commission (SEC), it has been reported, with authorities expected to investigate whether the company should have disclosed its two data breaches sooner to investors.
According to The Wall Street Journal, the SEC investigation is still in its early stages, and is expected to look into whether Yahoo’s disclosures about the data breaches complied with civil securities laws.
Yahoo disclosed the details of its first hack in September last year, pointing its finger towards a state-sponsored actor nearly two years after the breach allegedly took place.
Approximately 500 million user accounts were affected by the largest known data breach in history, with Yahoo saying at the time that while passwords and other information were stolen, payment and bank information remained safe.
In November, the former tech giant said it was cooperating with federal, state, and foreign agencies that were seeking information on the 2014 breach. The Wall Street Journal said those agencies include the Federal Trade Commission, the US attorney’s office in Manhattan, and a number of State Attorneys General, in addition to the SEC.
A second hack was then revealed in December, with more than 1 billion accounts believed to have been stolen back in August 2013, a year prior to the previously disclosed attack.
In a statement, Yahoo said the hackers may have stolen names, email addresses, telephone numbers, hashed passwords, dates of birth, and, in some cases, encrypted or unencrypted security questions and answers.
“Based on the ongoing investigation, the company believes an unauthorised third party accessed the company’s proprietary code to learn how to forge cookies,” the statement said. “The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used.”
A Yahoo spokesperson told ZDNet at the time that the company was “working closely with law enforcement”.
In September, Democratic Senator Mark Warner asked the SEC to investigate whether Yahoo and its executives fulfilled its obligations to go public about the 2014 hack.
Before knowing about the second hack, Warner said in a letter to the SEC that public companies such as Yahoo are required to disclose material events that the public and shareholders should know about, noting that “disclosure is the foundation of federal securities law”.
He also asked the SEC to look into whether Yahoo made accurate representations concerning the security of its IT systems.
At the same time, six senior US senators said Yahoo’s two-year delay in reporting was “unacceptable”, and asked Yahoo CEO Marissa Mayer to explain why the information was not disclosed back when the breach took place.
It was revealed earlier this month that upon the closing of the $4.8 billion sale of Yahoo’s operating business to Verizon, the remaining parts of Yahoo will be renamed to Altaba Inc as it begins its new direction as an investment company.
Mayer will not be joining Altaba Inc.