Yahoo revealed extensive details about its cybersecurity measures for the first time Thursday in a letter sent to senators after the company suffered two massive breaches of user data in recent years.
April Boyd, Yahoo's head of Public Policy, wrote the letter and many of the same accounts were affected by both breaches, which occurred in 2013 and 2014.
“A majority of the user accounts that were potentially affected by the 2014 incident also are believed to have been affected by the 2013 incident,” Boyd wrote.
The Sunnyvale, Calif. based company wrote the Senate letter in response to questions about details of the breaches raised by Sens. John Thune (R-S.D.), chairman of the Senate Commerce Committee, and Jerry Moran (R-Kan.), chairman of the panel's consumer protection and data security subcommittee.
According to the letter, Yahoo CEO Marissa Mayer doubled the size of the internal security staff and put $250 million into security initiatives. The money went towards the creation of a “red team” to probe Yahoo’s code for security weaknesses and a “bug bounty program,” an offer of money to people outside the company who alerted Yahoo to exploits in the sites' code.
When announcing the 2013 breach in September, Yahoo said that they were working with law enforcement on the attacks, which the company believed were state-sponsored. In their letter today, the company said that they were implementing systems designed to defend against more “sophisticated threats,” including attacks affiliated with foreign governments.
Yahoo also detailed smaller process changes the company implemented in the wake of the breach announcements to improve overall security. The measures included a feature that allows users to see what devices have logged into their accounts and remotely them out, along with enhancing access to third party password authentication.
After the breaches, Yahoo hired cybersecurity firms Stroz Friedberg and Mandiant to assist its internal team. Investigations by Yahoo and the firms found no evidence that actors responsible for the hacks were still in Yahoo’s network.
Yahoo’s exchange with senators regarding security comes after the company endured significant scrutiny for its security practices following the hack revelations. Reports hammered Mayer for allegedly not prioritizing security and leaving the company vulnerable to cybersecurity.
Mayer and other board members have said that they will will step down when Verizon finishes its purchase of Yahoo. In an SEC filing Yahoo said that their stepping down was not because of "any matter relating to the Company’s operations, policies or practices." News of the breaches knocked $350 million from what had been at $4.8 billion deal.