Last week's Yahoo data breach is considered the largest intrusion in history with over 500 million accounts compromised.
Information stolen may include names, email addresses, telephone numbers, birthdays, hashed passwords and even encrypted or unencrypted security questions and answers.
Earlier this week, a group of U.S. senators, led by Vermont Senator Patrick Leahy, sent a letter to Yahoo CEO Marissa Mayer asking for a detailed timeline of the Yahoo breach, how widespread the attack was and what actions Yahoo is taking to protect its users now and from future attacks.
More importantly, the letter also asks that if the breach occurred two years ago, how could such an attack even happen and remain undisclosed for two years?
As the letter states,
"We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans’ data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information."
The letter proceeds to ask these tough questions:
- When and how did Yahoo first learn that its users’ information may have been compromised? Please provide a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers.
- Press reports indicate the breach first occurred in 2014, but was not discovered until August of this year. If this is accurate, how could such a large intrusion of Yahoo’s systems have gone undetected?
- Which Yahoo accounts, services, or sister sites have been affected?
- How many total users are affected? How were these users notified?
- What protection is Yahoo providing the 500 million Yahoo customers whose identities and personal information are now compromised?
- What steps can consumers take to best protect the information that may have been compromised in the Yahoo breach?
- What is Yahoo doing to prevent another breach in the future? Has Yahoo changed its security protocols, and in what manner?
- Did anyone in the U.S. government warn Yahoo of a possible hacking attempt by state-sponsored hackers or other bad actors? When was this warning issued?
U.S. Senator Mark Warner also asked the Securities and Exchange Commission to verify whether Yahoo improperly withheld information about the data breach. The senator cites reports indicating that Mayer knew about the breach as early as July of this year while working on the details of the Verizon-Yahoo buyout deal.
Yahoo has not released its official answers yet but reports are indicating that Mayer's management decisions have contributed to the severity of the breach.
According to the New York Times, Yahoo's security protocols to protect its users are not up to snuff, especially when compared with other leading tech companies.
When Mayer took over as Yahoo's CEO in 2012, she deemphasized security improvements in favor of designing cleaner user interfaces in their services and the development of new products. This cost reduction created friction between her and the company's internal security team.
The reports say that Mayer refused to implement the automatic reset of Yahoo user passwords after a security breach for fear of losing email customers to other services.
Other security failings include the failure to issue a software bug bounty program until 2012 and not providing strong end-to-end encryption in their services. According to employees, the reason for the thumbs-down on encryption is because it will make it harder for Yahoo to search and index message data for its newer services.
To read Senator Leahy's letter, check this official press release from the U.S. Senate.