Former CEO of Yahoo, Marissa Mayer, appeared before the US Senate Commerce Committee on Wednesday (8 November) and delivered her testimony on the two Yahoo breaches that happened in 2013 and 2104. The company had disclosed that 1 billion accounts were affected at the time.
Mayer, in the hearing, blamed Russian hackers for at least one of the incidents, reports Reuters. The report also mentions that the originally estimated number of 1 billion hacked accounts has been updated by Verizon, which took over most of Yahoo's assets in June, to 3 billion accounts worldwide. This means every single active Yahoo account was affected by the hack.
"As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users," Mayer said at the hearing where she was present with the former CEO of Equifax and a Senior Verizon Executive.
"Unfortunately, while all our measures helped Yahoo successfully defend against the barrage of attacks by both private and state-sponsored hackers, Russian agents intruded on our systems and stole our users' data," she added.
Mayer also said that she had no knowledge of whether the Russians were involved with the 2013 breach although she had spoken of state-sponsored attacks.
In a first, earlier this year it was reported that federal prosecutors made criminal charges against Russian spies for cybercrimes when they charged two Russian intelligence agents along with two hackers for the theft of 500 million Yahoo accounts in 2014. Only one among the four hackers who were arrested pleaded "not guilty" to the charges.
When asked about why she took so long to identify the breach and why the proper number of the affected account holders was not gauged, Mayer responded by saying that Yahoo had no knowledge about the breach. The company reportedly did not learn of the hack when it happened in 2013 and only came to know after the US government handed over their findings in November 2016.
Comparing the attacks to an arms race, Mayer reportedly said that even robust defences were not enough when dealing with state-sponsored attacks and that any company, even the most well-protected ones, "could fall victim to these crimes."
She added that Yahoo prompted all their users to change their passwords to protect their data.
At the hearing, Senator Bill Nelson said: "Only stiffer enforcement and stringent penalties will help incentivise companies to properly safeguard consumer information."
Senator John Thune commented that Mayer's testimony was "important in shaping our future reactions," and said that cases like this provide additional momentum for Congress to approve legislation governing data breaches.