Yahoo has told the Senate Commerce Committee that the massive hacks in 2013 and 2014—about 1.5 billion accounts—did not include any "clear passwords, payment card data or bank account information."
Just this week, Yahoo agreed to cut the price Verizon is paying to buy the company by $350 million in light of the breaches.
Yahoo said it understood the committee's desire for more info and how Yahoo was securing accounts, and in that spirit answered the committee's questions. It said it was cooperating with federal, state and foreign officials about the incidents in question.
Yahoo did say the hackers got access to email addresses, phone numbers, birthdays, and hashed passwords, as well as both encrypted and unencrypted security questions and their answers.
Among the steps Yahoo has taken is to invalidate the forged cookies that allowed the hackers' access, created customized alerts to help detect forged cookies, provided notice to users about the hacks, and is requiring users who have not changed their passwords since late 2014 to do so, though it said that was only out of "an abundance of caution."
Sens. John Thune (R-S.D.), chairman of the Senate Commerce Committee, and Jerry Moran (R-Kan.), chairman of the Consumer Protection, Product Safety, Insurance and Data Security Subcommittee, had written Yahoo CEO Marissa Mayer saying they want to know what Yahoo has done to identify and mitigate any consumer harm.
“Despite several inquiries by Committee staff seeking information about the security of Yahoo! user accounts, company officials have thus far been unable to provide answers to many basic questions about the reported breaches,” they wrote Feb. 10, asking for a response by Feb. 23.
They also were not happy with the cancellation, which they called last-minute, of a planned meeting between Yahoo and congressional staffers that had been planned for Jan. 31.
The letter back to the senators came from April Boyd, VP and head of global public policy. She did not mention the cancelled meeting, but did point out that the company had provided a bipartisan staff briefing back in September.