Yahoo’s latest filing to the US Securities and Exchange Commission (SEC) reveals that at least some of its employees were aware in 2014 that its systems had been breached.
Here’s the relevant section of the filing (bolding added by me):
In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders.
The Company, with the assistance of outside forensic experts, continues to investigate the Security Incident and related matters. The Company is actively working with U.S. law enforcement authorities on this matter.
As described above, the Company had identified that a state-sponsored actor had access to the Company’s network in late 2014. An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.
In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.
It was recently revealed that Yahoo chose not to reset users’ passwords two years ago.