Yahoo has agreed to pay a $35 million penalty after failing to properly notify customers and investors that hackers had compromised hundreds of millions of user accounts, the Securities and Exchange Commission (SEC) announced Tuesday.
According to the SEC's order, within days of the December 2014 intrusion, Yahoo's information security team learned that Russian hackers had stolen what the security team referred to internally as the company's "crown jewels".
"We do not second-guess good faith exercises of judgment about cyber-incident disclosure", said Steven Peikin, co-director of the SEC Enforcement Division.
Prosecutors said Tuesday that two Russian intelligence agents, Dokuchaev and Igor Sushchin, used information they stole from Yahoo to spy on Russian journalists, US and Russian government officials, and employees of financial services and other private businesses. The company declined to comment. The details of the hacking became public during Verizon's acquisition of Yahoo.
Sen. Mark Warner, D-Va., the ranking member on the Senate Banking Subcommittee on Securities, Insurance, and Investment, tweeted in vindication, saying that breaches like Yahoo's can't be swept "under the rug".
A sign outside Yahoo's headquarters in Sunnyvale, Calif..
Yahoo, which was once one of the leading internet firms, sold its main online operations to Verizon a year ago in a deal valued at $4.48 billion. The information included names, email addresses, telephone numbers, dates of birth and, in some cases, encrypted or unencrypted security questions and answers, Yahoo said.
In a statement late on Tuesday, the SEC said the entity formerly known as Yahoo! In February 2017, they filed computer fraud and other charges against Dokuchaev, Sushchin and two other men - another Russian national, Alexsey Belan, and a Canadian named Karim Baratov.
The SEC order also found that Yahoo failed to have procedures in place to deal with such a breach or the threat of future hacks, as well as how to disclose such incidents in a timely and proper fashion. Baratov pleaded guilty in November to one count of conspiracy to commit computer fraud and abuse and eight counts of aggravated identity theft.
Chhabria stressed that Baratov was not behind the Yahoo hack.