The scale of a second Yahoo breach disclosed Wednesday was staggering enough, exposing information associated with 1 billion accounts. But perhaps even more distressing was that the theft happened three years ago - and had not been reported until now. That probably left a lot of consumers wondering: Why does it take so long to find out that I've been hacked?
The reason behind the Yahoo case is the simplest one and even company did not know about the breach. How Yahoo learned about the 2013 attack is still unknown for all of us, but reading between the lines of its announcement, it seems as though its security team was alerted by outside investigators rather than an internal team.
"Law enforcement provided us with data files that a third party claimed was Yahoo user data," Bob Lord, Yahoo's chief information security officer, wrote in a blog post. "We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data."
"These revelations are deeply troubling," said Sen. Mark Warner, D-Va., in an email to The Washington Post. "Prompt notification enables users to potentially limit the harm of a breach of this kind, particularly when it may have exposed authentication information such as security question answers they may have used on other sites."
"The law should require, not just encourage, reasonable data security practices from companies that collect, process, and share personal information," said Samford University law professor Woodrow Hartzog at a hearing in 2015. "This will fortify the protection of personal information in the United States and help ensure that fewer breach notifications need to be sent at all."
Germany urges Yahoo users to think about other email providers
