Six U.S. senators have called Yahoo's massive data breach "unacceptable," and they're demanding that the company provide more details about the incident.
In a letter addressed to Yahoo's CEO, the lawmakers said they were particularly "disturbed" that the breach occurred in 2014, but that Yahoo only publicized it last week.
"That means millions of Americans' data may have been compromised for two years," the letter said. "This is unacceptable."
The hacking incident, which Yahoo said it only learned recently, affects at least 500 million user accounts, making it perhaps the largest known data breach in history. Account information, including email addresses, telephone numbers, and hashed passwords, may have been stolen.
Yahoo has blamed the breach on a "state-sponsored actor," but it hasn't provided details or any evidence to support that claim.
Tuesday's letter asks that Yahoo provide a briefing to the senators' staff about the breach. The lawmakers have also provided a list of questions for the company to answer. Among them is a request that Yahoo provide a timeline on when and how it discovered the breach.
Yahoo didn't immediately respond to a request for comments. But a source familiar with the matter said the company only learned of the hack this past summer, after investigating another possible data breach involving the black market.
Around early August, a hacker was found allegedly selling account details of 200 million Yahoo users. The company investigated and concluded that the sale wasn't legitimate. However, Yahoo decided to launch a broader probe into its systems that uncovered evidence of the more serious data breach.
The six senators, however, are asking how such a large intrusion into Yahoo could have gone undetected for so long. The senators, all Democrats, include Patrick Leahy of Vermont, Al Franken of Minnesota, Richard Blumenthal of Connecticut, Ron Wyden of Oregon, and Edward Markey and Elizabeth Warren of Massachusetts.
On Monday, Senator Mark Warner, a Virginia Democrat, also sent a letter, but to the U.S. Securities and Exchange Commission, asking that the agency investigate Yahoo's handling of the breach and if it kept investors properly informed.
"The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it.” Warner wrote.
This story has been changed to reflect that 500 million user accounts, not 500 million users, were affected by the breach.