Company formerly known as Yahoo to pay $35M over massive breach

Altaba, called Yahoo before the Verizon buyout, will have to pay for a failure to disclose a giant data breach from 2014.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
The entrance of Yahoo headquarters

Yahoo waited up to two years to disclose a huge data breach. Now Altaba must pay.

Hector Mata/Getty Images

Yahoo's cybersecurity failures continue to haunt the company -- now to the tune of $35 million.

The US Securities and Exchange Commission said Tuesday that Altaba, the company formed from the ashes of Yahoo's sale to Verizon, has agreed to pay a penalty of that amount to settle charges that Yahoo failed to disclose a massive data breach from December 2014. 

That breach, a state-sponsored attack, affected at least 500 million users and was considered the largest data breach in history until Yahoo announced that all 3 billion accounts on the website had been hit in a separate, 2013 hack.

In the 2014 breach, Russian hackers stole data including phone numbers, passwords, birth dates and email addresses. The cyberattack didn't become public knowledge until 2016, when Yahoo announced it in a press release. 

Watch this: All Yahoo users affected by largest hack in history

"Yahoo's failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach," Jina Choi, director of the SEC's San Francisco regional office, said in a statement. 

Altaba declined to comment. 

Disclosing breaches to the public in a timely manner is important, for both investors and the people using the platform. It ensures that people can take precautions with their digital lives before it's too late. But companies have been slow to announce these hacks.  

Multiple tech companies have faced scandals over being tardy to disclose a breach. In March, the Pennsylvania attorney general slammed Uber for waiting more than a year to reveal a breach. Facebook has been criticized for its Cambridge Analytica data scandal -- though no breach was involved -- because the social network took up to two years to notify the public after it learned about the issue, in 2015. 

"I've been saying for years that Yahoo's failures to notify customers and investors about its massive data breach didn't pass the smell test," Sen. Mark Warner, a Democrat from Virginia, said in a statement. "Holding the company accountable is important, and I hope others will learn you can't sweep this kind of thing under the rug." 

The SEC launched its investigation in January 2017, arguing that Yahoo misled investors by keeping quiet about its breaches. The revelations came as Yahoo was attempting to close a $4.83 billion acquisition deal from Verizon. The cybersecurity shortcomings led Verizon to knock $350 million off its buying price and insist that the companies split legal and financial responsibilities related to the hack. 

In a separate SEC filing from 2016, Yahoo admitted that some of its employees were aware of the 2014 breach but failed to disclose it. 

The Justice Department has indicted the four hackers responsible for Yahoo's 2014 hack, though the attackers behind the 2013 breach are still unknown. Marissa Mayer, Yahoo's CEO during the breaches, apologized to Congress last November, but she didn't explain why it took so long to announce the attack. 

First published 9:35 a.m. PT
Updates, 9:47 a.m.:
Includes details on breach disclosures; 10:02 a.m.: Adds statements from Sen. Mark Warner and Altaba.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Follow the Money: This is how digital cash is changing the way we save, shop and work.