Sen. Al Franken Presses Yahoo's Marissa Mayer for Answers on Massive Data Breach

Tuesday, U.S. Sen. Al Franken (D-MN) called on Yahoo to reveal how a massive data hack at their company may have gone unnoticed for two years.

In a letter to Yahoo CEO Marissa Mayer, Sen. Franken and a group of his Senate colleagues pressed the company to provide a timeline of the hack, which compromised at least 500 million accounts, and asked when law enforcement and users were notified.

Yahoo recently confirmed that user account data was breached in 2014, and it believes that a "state actor" is responsible for the hack.

The lawmakers are also seeking information about how widespread the hack is and what Yahoo is doing to prevent such a hack in the future, according to a news release.

"The stolen data included usernames, passwords, email addresses, telephone numbers, dates of birth, and security questions and answers," wrote Franken, top Democrat on the Senate Privacy Subcommittee, and his colleagues.

"This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles," the letter states.

"We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information."

The letter, which was led by Senate Judiciary Committee Ranking Member Patrick Leahy (D-Vt.), was also signed by Sens. Elizabeth Warren (Mass.), Richard Blumenthal (Conn.), Ron Wyden (Ore.), and Edward J. Markey (Mass.).

A copy of the September 27 letter to CEO Marissa Mayer is below and here.

Dear Ms. Mayer:

We write following your company's troubling announcement that account information for more than 500 million Yahoo users was stolen by hackers, compromising users' personal information across the Yahoo platform and on its sister sites, including Yahoo Mail, Flickr, Yahoo Finance, and Yahoo Fantasy Sports. The stolen data included usernames, passwords, email addresses, telephone numbers, dates of birth, and security questions and answers. This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles.

We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information.

In light of these troubling revelations, please answer the following questions to help Congress and the public better understand what went wrong and how Yahoo intends to safeguard data and protect its users, both now and in the future. We also request that Yahoo provide a briefing to our staff on the company's investigation into the breach, its interaction with appropriate law enforcement and national security authorities, and how it intends to protect affected users.

1. When and how did Yahoo first learn that its users' information may have been compromised? Please provide a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers.

2. Press reports indicate the breach first occurred in 2014, but was not discovered until August of this year. If this is accurate, how could such a large intrusion of Yahoo's systems have gone undetected?

3. What Yahoo accounts, services, or sister sites have been affected?

4. How many total users are affected? How were these users notified?

5. What protection is Yahoo providing the 500 million Yahoo customers whose identities and personal information are now compromised?

6. What steps can consumers take to best protect the information that may have been compromised in the Yahoo breach?

7. What is Yahoo doing to prevent another breach in the future? Has Yahoo changed its security protocols, and in what manner?

8. Did anyone in the U.S. government warn Yahoo of a possible hacking attempt by state-sponsored hackers or other bad actors? When was this warning issued?

Thank you for your prompt attention to this critical matter.

Image via Fortune Live Media, Flickr, used under Creative Commons