WASHINGTON A group of Democratic U.S. senators on Tuesday demanded Yahoo Inc (YHOO.O) explain why hackers’ theft of user information for half a billion accounts two years ago only came to light last week and lambasted its handling of the breach as “unacceptable.”
The lawmakers said they were “disturbed” the 2014 intrusion, disclosed by the company on Thursday, was detected so long after the hack occurred.
“That means millions of Americans’ data may have been compromised for two years,” the senators wrote in a joint letter addressed to Yahoo Chief Executive Officer Marissa Mayer. “This is unacceptable.”
Yahoo did not immediately respond to a request for comment about the letter, which was signed by Senators Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Ron Wyden and Edward Markey.
Yahoo has faced mounting questions about exactly when it knew about the 2014 cyber attack that exposed the email credentials of users, a critical issue for the company as it seeks to prevent the breach from affecting a pending takeover of its core business by Verizon Inc (VZ.N).
The internet firm has said it detected the breach this summer after conducting a security review prompted by an unrelated hacking claim that turned out to be meritless. Yahoo has not given a precise timeline explaining when it was made aware of the 2014 attack, or if it knew of the breach before announcing the deal with Verizon in late July.
The senators requested a briefing from Yahoo to explain the company’s investigation into the breach, its cooperation with law enforcement and national security authorities and plans to protect affected users.
The senators asked Mayer for a timeline of the hack and its discovery and how such a large breach went undetected for so long. They also asked what Yahoo was doing to prevent another breach in the future, if the company has changed its security protocols and whether the U.S. government had warned of a possible hacking attempt.
The letter came a day after Democratic Senator Mark Warner asked the U.S. Securities and Exchange Commission to investigate whether Yahoo and its senior executives fulfilled obligations to inform investors and the public about the hacking attack, which Yahoo has blamed on a “state-sponsored actor.”
(Reporting by Dustin Volz; Editing by Andrew Hay and Cynthia Osterman)