Federal officials this week heaped praise on Yahoo Inc. Chief Executive Marissa Mayer for the company’s cooperation in an investigation of the hacking of hundreds of millions of the site’s accounts.
It was rare recognition for Ms. Mayer, for whom each additional disclosure about the 2014 security breach since she made it public last September has magnified its scope and implications.
The Justice Department and the Federal Bureau of Investigation on Wednesday accused the Russian government of facilitating the attack — and said that the hackers were able to use the information they stole until last December, more than two years after the initial breach occurred.
FBI San Francisco Division Special Agent in Charge Jack Bennett on Wednesday praised Ms. Mayer’s “great leadership and courage while under intense pressure from many entities.” Federal officials didn’t fault Yahoo for the attack, and instead positioned Yahoo as a “victim” in an “unfair fight” against state-sponsored hackers.
Yahoo didn’t respond to a request for comment Thursday.
The Yahoo case provided the Justice Department a clear example to illustrate the benefits to companies of cooperating with law enforcement in investigating cyberbreaches. The government’s reaction this week shows it won’t fault the company itself for the breach, said officials and cybersecurity experts.
“You’d be amazed by the number of companies whose first instinct is to duck and cover,” said Michael Sulmeyer, director of the Cyber Security Project at the Harvard Kennedy School of Government.
Law-enforcement officials have spent years trying to encourage companies to report cyberbreaches to the government and assuage their concerns that they will lose control of their data and the investigation if they invite law enforcement in, said Luke Dembosky, a former national-security prosecutor who supervised the investigation into a hack against Sony Pictures Entertainment and is now a lawyer at Debevoise & Plimpton.
Yahoo’s board of directors was less forgiving than the Justice Department. Earlier this month, directors cut Ms. Mayer’s pay after an independent review found “failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security incident.”
The hack, and a second one that occurred in 2013 and affected more than one billion accounts, forced Yahoo back to the negotiating table with Verizon Communications Inc., to whom the company had agreed to sell itself weeks before disclosing the 2014 attacks. Yahoo agreed last month to slash $350 million from its sale price of $4.83 billion to account for the hacks.
The revelation in September of the hack was short on details: 500 million accounts had been compromised by a state-sponsored hacker in 2014.
The indictment shows that Russian hackers frequently accessed accounts and did so as late as June 2016, one month before Yahoo started probing online claims by hackers offering what they billed as a cache of 280 million Yahoo usernames and passwords. Then hackers continued to use information they stole from Yahoo until December, three months after Yahoo disclosed that half a million accounts were compromised in 2014.
The hackers also used the stolen information to unleash spam campaigns and manipulate search results.
“Here’s the reality: They didn’t have proper security protocols in place when they get alarms going off when unusual things happen,” said Hemanshu Nigam, chief executive of SSP Blue, a security consulting firm. “There’s no consistent attack and penetration testing to see what the weaknesses might be.”
Yahoo’s board said it wouldn’t award Ms. Mayer her 2016 cash bonus, and accepted her offer to forgo her 2017 equity awards. The review also triggered the resignation of Yahoo’s top lawyer, Ronald Bell. The board directed Yahoo to beef up its cybersecurity measures.