Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Ron Wyden, and Edward J. Markey, who co-sponsored the Consumer Privacy Protection Act of 2015, signed the letter, which asks Mayer what went wrong and how Yahoo plans to protect consumer data in the future.
Data such as usernames, passwords, email addresses, telephone numbers, dates of birth, and security questions and answers were stolen from Yahoo platforms including Yahoo Mail, Flickr, Yahoo Finance, and Yahoo Fantasy Sports.
“This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles,” the letter states.
The senators asked Mayer to provide information about the timeline of the breach, including when Yahoo notified law enforcement and its customers.
“We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week,” the letter stated. “That means millions of Americans’ data may have been compromised for two years. This is unacceptable.”
The senators also asked how such a large hack had gone undetected, what accounts were affected, how many users were affected and whether they were notified, what protection is Yahoo providing for the 500 million customers who were hacked, how Yahoo has changed its security measures, and whether anyone in the Federal government warned Yahoo of a possible state-sponsored attack and when that warning was received.
The senators requested that Yahoo brief its staff on those questions to help Congress and the public better understand what happened.
“This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest,” the letter stated. “Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information.”