A senior Yahoo executive addressed a massive security incident on Wednesday, offering additional details about a breach that saw hackers steal personal data from more than 500 million customer accounts in late 2014.
Speaking at the Structure Security event in San Francisco, chief security officer Bob Lord said that a Motherboard report this summer, which described a hacker selling Yahoo accounts on the Internet, was not related to the massive hack the company disclosed last week.
Lord said there had been “confusion” over the Motherboard report, which he said related to an incident in July.
Get Data Sheet, Coins2Day’s technology newsletter.
“Although the dates are somewhat close in time, these are independent matters and are unrelated,” said Lord, who later clarified that the company could not substantiate the hacker’s claims he had Yahoo accounts for sale.
An investigation into those claims, however, led the company to uncover the catastrophic 2014 hack, according to Lord.
The questions over timing are critical because many, including members of Congress, are asking if Yahoo took too long to warn its users. Yahoo (YHOO) has already been hit by class action lawsuits and may have broken state laws related to disclosing data breaches.
Yahoo’s position looks even more precarious in light of a damning report in the New York Times that describes a lax security culture, and that cites unnamed employees to say CEO Marissa Mayer rejected calls to tell users with compromised accounts to change their passwords.
Yahoo Confirms Its Biggest Data Breach Ever
In response to a question about the Times article, Lord said he had read it but “didn’t understand” the claims about Mayer discouraging password change.
More broadly, Lord said he could not disclose further information due to legal constraints, but reiterated Yahoo’s early assertion that the massive 2014 hack was perpetuated by a nation state (a claim that has been challenged). Yahoo is still investigating the breach and has said it will release more details in the future.
Despite the controversy over the breach, Lord praised the security team at Yahoo, who are known internally as “the Paranoids,” adding he joined the company in 2015 because of their reputation.
Yahoo Has Been Hacked: What You Need to Know
Meanwhile, consumers are still coming to terms with the implications of the 500 million account hack, which appears to be the biggest such incident in history. It resulted in hackers taking names, email addresses and passwords. While Yahoo says it had protected the passwords with encryption, the extent of that protection is unclear. Worse, the company says in come cases the hackers obtained security questions and answers — which would open up the accounts.
The ongoing uncertainty is also casting uncertainty over a plan for phone giant Verizon (VZ) to acquire Yahoo. While the merger was considered to be a done deal as of the last week, there are signs Verizon could walk away due to the breach.
