Yahoo! Fined 35 Million USD For Late Disclosure Of Hack

The New Acunetix V12 Engine


Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 years delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public – Massive Yahoo Hack – 500 Million Accounts Compromised.

Yahoo! Fined 35 Million USD For Late Disclosure Of Hack

Yahoo! has been having a rocky time for quite a few years now and just recently has sold Flickr to SmugMug for an undisclosed amount, I hope that at least helps pay off some of the fine.


The Disaster Formerly Known as Yahoo! has been fined $35m by US financial watchdog, the SEC, for failing to tell anyone about one of the world’s largest ever computer security breaches.

Now known as Altaba following its long, slow and painful descent in irrelevance, Yahoo! knew that its entire user database – including billions of usernames, email addresses, phone numbers, birthdates, passwords, security questions – had been grabbed by Russian hackers back in December 2014 – just days after the break-in occurred.

Security staff informed senior Yahoo! management and its legal department, who then demonstrated the same kind of business and strategic nous that saw the company fold into itself when they decided to, um, not tell anyone.

It wasn’t until two years later when telco giant Verizon said it wanted to buy the troubled company that Yahoo! finally revealed the massive breach.

The SEC is, understandably, not overly impressed. “Yahoo! failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors,” it said Tuesday, before the co-director of its enforcement division, Steven Peikin, gave what amounts to a vicious burn in the regulatory world.

“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” said Peikin. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”


Honestly, it was a pretty shady move, they knew about the compromise DAYS after the incident, it was escalated to the legal team and the senior management – they had material information but they chose to sit on it until the Verizon acquisition was on the table and due diligence would have uncovered it anyway.

Not exactly responsible disclosure or doing the best for the customers is it? But then, that’s Yahoo! and decisions like that demonstrate exactly why they are irrelevant today in 2018.

Another SEC staffer – director of its San Francisco office, Jina Choi, also piled in, noting that: “Yahoo!’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

Yahoo! should have let investors know about the massive breach in its quarterly and annual reports because of the huge business and legal implications to its business, the SEC said.

But it didn’t of course – probably because it was already desperate to get someone to buy it following years of abortive efforts by CEO Marissa Meyer to turnaround what was once the internet’s poster child.

The SEC also found that Yahoo! did not share information on the breach with either auditors or its outside lawyers. The Canadian who helped the Russians gain access to the data faces eight years in jail.

Yahoo! has “neither admitted nor denied the findings in the SEC’s order” – which is so Yahoo!.

For some reason Verizon still bought the dried out husk of the company in June 2017, although it extracted a significant reduction in the share price. It paid $350m less than its initial offer but it is estimated that it will cost Verizon $500m to clean up the mess Yahoo! left behind.

I’m starting to wonder if they will even still exist in 2025 or will have totally faded to join AskJeeves and Altavista.

The only value in Yahoo! today is basically it’s stake in Alibaba, Verizon bought it for 5% of it’s peak value and now it’s probably worth even less (Maybe only $1-2 Billion vs $100 Billion at its peak).

Source: The Register

Posted in: Hacking News


Latest Posts:


Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.


Comments are closed.