- On Monday, law enforcement authorities shared data with Yahoo they said was provided by a hacker who accessed user account data, according to Securities and Exchange Commission filings.
- The company is working with forensic experts to investigate whether the information is actually Yahoo user account data.
- The disclosure of potential additional security incidents comes on the heels of investigation results related to the 2014 data breach. Yahoo said company insiders did know about the breach in 2014, but are investigating the "scope of knowledge" of the incident at that time. Thus far the company is facing 23 putative consumer class action lawsuits related to the breach.
The news of a related incident comes after Yahoo disclosed in September that 500 million user accounts were compromised in a 2014 breach. In the SEC filing, the company said it had spent $1 million in expenses related to the security incident during the quarter that ended on September 30.
In its investigation report to investors, Yahoo again said a "state-sponsored actor" was responsible for the network breach. The hackers cookies they created to bypass password requirements for user account access, according to the filings.
The size and scope of the breach has drawn criticism from both industry leaders and legislators. Many are concerned about how long it took the company to disclose the attack the public. The investigation is still ongoing, but Yahoo remains pressured to disclose more information, particular because of Verizon's bid to purchase the struggling internet company. In October, Verizon indicated that the deal may be in jeopardy because of Yahoo's failure to disclose the breach.