Some Yahoo employees knew as far back as 2014 about a massive data breach that exposed the personal information of up to 500 million account holders, the company said Wednesday in a filing with the Securities and Exchange Commission.
The data breach occurred two years ago, but Yahoo didn't publicly disclose the incident until this September. The company said at the time that it believed a "state-sponsored actor" stole a host of data about half a billion people, including their names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers.
Yahoo said in its most recent SEC filing that an independent committee is now investigating "the scope of knowledge within the company in 2014," among other issues related to the data breach.
The company also said that it believes the state-sponsored actor that stole the data also "created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information."
Yahoo currently is facing 23 separate class-action complaints stemming from the data breach. Some of the early lawsuits highlighted the time lag between the theft and Yahoo's disclosure.
"Despite the fact that the attack took place in late 2014, Yahoo was so grossly negligent in securing its users’ personal information that it says that it did not even discover the incident until the summer of 2016," Ronald Schwartz, a Yahoo user who lives in New York, alleged in a September complaint filed in federal court in San Jose, California.
Yahoo said it can't yet estimate potential losses related to the lawsuits. "The investigation into the security incident is ongoing, the legal proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved," the company stated.