Yahoo (YHOO) on Thursday afternoon disclosed a security breach involving at least 500 million customers, but questions are being raised about whether the internet company should have moved sooner to protect users.
News that Yahoo would disclose the hack was reported Thursday by Recode, which cited several anonymous sources close to the situation. Those sources describe the breach as “widespread and serious,” while declining to elaborate because of possible government investigations and potential lawsuits.
In early August, tech site Motherboard reported that a hacker who goes by the moniker “Peace” was selling information, including user names, birth dates and scrambled passwords, from 200 million Yahoo accounts.
“Consumers should be not be reading in the news something Yahoo hasn’t told them,” said Susan Grant, director of consumer protection and privacy at the Consumer Federation of America. “They should be hearing this from Yahoo, not only that we had this problem -- but also about what to do.”
In confirming the attack on Thursday, Yahoo said user account information was stolen from the company’s network in late 2014 by what the company called a The data may have included names, email addresses, phone numbers, dates of birth and passwords.
Yahoo initiated an internal probe following a report in July of a hacker selling 280 million user credentials on the black market, but found no evidence to substantiate the hacker’s claims, according to a source close to the company. A deeper review by the company’s security team found evidence a date theft occurred in 2014, the source said.
Yahoo declined comment as to why the company had not notified users earlier.
Like other companies, Yahoo is subject to data-breach notification laws in effect in 48 states that require companies to alert customers within specific periods of time that their information has been compromised.
“There are sometimes exceptions for notification when there are good reasons for law enforcement purposes for not revealing,” said Grant. But in Yahoo’s case the data loss has already been revealed, she noted.
A complicating factor, both for companies and customers, is that notification laws can be ambiguous. In Yahoo’s home state of California, for instance, the statute stipulates only that “The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
Beyond changing their passwords, Grant advised Yahoo users concerned their information might be compromised to go the government site identitytheft.gov and follow the prompts on what it calls a recovery plan.
The reports come as Yahoo looks to close VZ), which agreed in July to buy its internet business for $4.8 billion. by telecommunications giant Verizon (
“It doesn’t appear Yahoo had hard enough defenses, and with a merger you have to worry about even more sensitive information being vulnerable, Grant said. “When there’s more information that can be potentially there for the taking, it raises concerns about the adequacy of the security.”
“Within the last two days, we were notified of Yahoo’s security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” said a Verizon spokesperson. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”
AOL did not return requests for comment.