Yahoo revealed on Wednesday that some employees at Yahoo knew of a large security breach in 2014, but the company did not reveal the security breach to users until September 2016.
It has also been revealed that hackers may have planted “software cookies” in order to repeatedly access user accounts.
“Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information,” said Yahoo on the attack that left around 500 million accounts vulnerable.
Names, email addresses, phone numbers, birth dates, and security question answers were all revealed in the security breach. However, Yahoo claims that unhashed passwords and payment details were left protected.
Revealing their knowledge of the security breach two years prior to announcing it, Yahoo also claimed, “The company had identified that a state-sponsored actor had access to the company’s network in late 2014″ in a filing with the Securities and Exchange Commission.
Yahoo is currently in the process of being acquired by Verizon, however the company is reportedly seeking a $1 billion discount on their $4.8 billion purchase following the recent controversies surrounding Yahoo.
This also includes the revelations that Yahoo has allowed government surveillance agencies to secretly scan through user emails, and a federal lawsuit that is currently being filed against Yahoo CEO Marissa Mayer, claiming that she led an illegal purge of male employees from the company.
“I’ve got an obligation to make sure that we protect our shareholders and our investors, so we’re not going to jump off a cliff blindly,” said Verizon Executive Vice Predident Marni Walden about the deal.