"The Company had identified that a state-sponsored actor had access to the Company's network in late 2014," Yahoo said in its filing. "An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users' account information had been accessed."
In the same statement, Yahoo said it is looking into whether the same hacker was able to create cookies that would allow them to access user account data without the need for a password. Since the disclosure, law enforcement agencies have also shared data provided by an attacker. Yahoo is now assessing whether user details are from the 2014 hack or from a separate intrusion.
Account information stolen in the attack is thought to include email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority of which were encrypted) and possibly security questions and answers too. The hack has already cost Yahoo $1 million, but it may run into the billions if Verizon pushes for money off its latest acquisition.