Four years later, Yahoo still doesn’t know how 3 billion accounts were hacked

On Wednesday, in a security hearing that called both Equifax and Yahoo’s past and present executives to Washington, D.C., we’re learning a bit more about what Yahoo didn’t know about the biggest hack in history.

When pressed about how Yahoo failed to recognize that 3 billion accounts — and not 500 million as first reported — were compromised in what was later revealed to be a state-sponsored attack by Russia, former Yahoo CEO Marissa Mayer admitted that the specifics of the attack still remain unknown.

“To this day we have not been able to identify the intrusion that led to this theft,” Mayer told the Senate Commerce Committee. “We don’t exactly understand how the act was perpetrated. That certainly led to some of the areas where we had gaps of information.”

Notably, while Mayer is no longer with the company, Verizon Chief Privacy Officer Karen Zacharia, also present on the panel, did not chime in to disagree with that assessment.

Yahoo did not notice that it had been compromised in 2013 and 2014 until third-party evidence of the hack was presented to the company by law enforcement in 2016. Yahoo then began working with the Department of Justice and the FBI, and the agencies concluded that in 2014 the company was a victim of a massive Russian state-sponsored attack for which it was in no way prepared.

“Yahoo worked closely with law enforcement, including the Federal Bureau of Investigation, who were ultimately able to identify and expose the hackers responsible for the attacks,” Mayer said in her testimony. “We now know that Russian intelligence officers and state-sponsored hackers were responsible for highly complex and sophisticated attacks on Yahoo’s systems.”

According to Zacharia, Verizon obtained new details on the hack after it acquired Yahoo in June of 2017. The new parent company acted within a week to disclose the vastly widened scope of the attack, which tripled to 3 billion affected users.

“We obtained new information from a third party and reviewed it with the assistance of the same outside forensic experts that Yahoo had used previously,” Zacharia explained in her opening remarks. “Based on that review, we concluded that all accounts — and not just a subset — were impacted by the 2013 security incident.”