Since the hack was publicly revealed on Sept. 22, questions have mounted over Yahoo’s handling of the data breach, including what it knew and when, and whether it violated securities laws by not disclosing news of the hack earlier.
Yahoo said when it announced the breach that a “recent investigation” led them to believe that data associated with 500 million accounts was stolen from its servers in late 2014 by a “state-sponsored actor.” The company has not been specific about when it first detected the breach.
The company said that the stolen data may have included password information, names, email addresses, dates of birth and telephone numbers.
“This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles,” the senators wrote in the letter to Mayer.
“We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week," the senators added. "That means millions of Americans’ data may have been compromised for two years.”
The senators said it was “unacceptable” that there was a nearly two-year gap between the time when the hack is believed to have taken place and when it was revealed. They asked Yahoo to brief their staff "on the company’s investigation into the breach, its interaction with appropriate law enforcement and national security authorities, and how it intends to protect affected users.”
The lawmakers also demanded a timeline "detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers."
They asked if anyone within the U.S. government had warned Yahoo "of a possible hacking attempt by state-sponsored hackers or other bad actors," and if so, when that warning took place.
"Press reports indicate the breach first occurred in 2014, but was not discovered until August of this year," the senators added. "If this is accurate, how could such a large intrusion of Yahoo's systems have gone undetected?"
In early August, multiple media reports surfaced claiming that a hacker identifying himself or herself as “Peace” was attempting to sell information associated with some 200 million Yahoo accounts on the dark web. Those claims were reported by the BBC, Ars Technica, and Motherboard, among others.
Shortly after the breach was revealed last Thursday, a source familiar with the matter who requested anonymity as they were not permitted to speak publicly about the matter, told ABC News in an email that Yahoo launched an internal investigation "following a report earlier this summer (July 2016) of a hacker indicating that 280 million user credentials were for sale on the black market."
According to the source, the company "found no evidence to substantiate the hacker’s claims," but when an internal security team broadened the scope of its investigation, “they identified evidence of the theft by a state-sponsored actor occurred in 2014.”
The source did not make clear when the discovery of the data breach revealed on Sept. 22 was made.
The Financial Times, a U.K. newspaper, published a report on Friday, citing an unnamed source that made very similar claims about how Yahoo discovered the massive breach.
“The initial investigation found no evidence for the claim in July by a hacker known as Peace that details of more than 200m accounts had been accessed, this person said, but concern about the allegation triggered a deeper probe,” the newspaper reported. “That investigation uncovered what Yahoo on Thursday called a state-sponsored hack affecting more than 500m accounts.”
“Marissa Mayer has known since July that Yahoo was investigating allegations of a serious data breach,” The Financial Times reported. ABC News has not been able to independently verify this detail.
In a statement issued on Friday, Yahoo said: “As we disclosed yesterday, a recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from our systems in late 2014 by what we believe is a state-sponsored actor. Our investigation into this matter is ongoing and the issues are complex.”
“Some things, however, are clear: Yahoo has never had reason to believe there is any connection between the security issue disclosed yesterday and the claims publicized by a hacker in August 2016. Conflating the two events is inaccurate,” the statement also said.
“Press reports indicate Yahoo’s CEO, Marissa Mayer, knew of the breach as early as July of this year,” Warner wrote in the letter to SEC Chairwoman Mary Jo White. “Despite the historic scale of the breach, however, the company failed to file a Form 8-K disclosing the breach to the public.”
“Disclosure is the foundation of federal securities laws, and public companies are required to disclose material events that shareholders should know about via Form 8-K within four business days,” Warner added.
Yahoo and Verizon announced on July 25 that Verizon would acquire Yahoo for around $4.83 billion. That deal is still pending.
On Sept. 22, the day the breach was revealed, Verizon released a statement saying that it found out about it "within the last two days."
"We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," Verizon said in that statement. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."
Yahoo did not immediately return a request for comment on the letter sent today by the six senators.
Yahoo is a content partner of ABC News.
ABC News' Ali Rogin contributed to this report from Washington.