Yahoo disclosed on Thursday the breach of the company expanded to 32 million user accounts which hackers accessed by using forged cookies after their revelation that 1.5 billion users were compromised in 2013 and 2014.
The company said in its latest annual filing that these intrusions are correlated with the "same state-sponsored actor believed to be responsible for the 2014 breach" which affected 500 million accounts were affected. In 2013, hackers were able to infiltrate at least 1 billion accounts.
"Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said.
Yahoo's CEO Marissa Mayer will not be paid her annual bonus and will not be awarded potentially lucrative stock options due to the fallout from the massive data breach and the company's slow reaction.
The company's report of the 2013 and 2014 data breaches forced Verizon (VZ) to lower its purchase price of the company to $4.48 billion from $4.83 billion.
When companies are breached, they are required by the SEC and state regulatory agencies to disclose the incident, but the rules are vague and fraught with loopholes. Each state has its own notification requirements while the SEC says the hacking incidents need to be materially relevant to be declared.
Determining how soon a company needs to disclose its hacking incident is complicated as some companies work first with law enforcement to determine the breadth of the infiltration and what information was stolen. Some experts believe the regulations need to be stricter so the public can be informed sooner that their personal information, often containing financial information such as credit card data, was stolen.
ConversionConversion EmoticonEmoticon