An independent committee established by Yahoo after it disclosed the breach in September found that the company did know of an intrusion that took place in 2014, but failed to investigate it properly.
In December 2014, Yahoo’s security team knew that a state-sponsored attacker “exfiltrated copies of user database backup files” containing Yahoo user account data, but it’s “unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood” outside of the security team, according to the filing.
It’s been a series of unfortunate events Yahoo, which have recently resulted in Verizon Communications paying $350 million less to acquire the company in a deal that’s expected to close in the second quarter of this year.