The biggest question is when Yahoo found out about the breach and how long it waited to disclose it publicly, said Keatron Evans, a partner at consulting firm Blink Digital Security. (Kara Swisher at Recode reported that Verizon isn't happy about Yahoo's disclosures about the hack.)
Verizon-owned AOL issued a statement earlier Thursday.
Within the last two days, we were notified of Yahoo's security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.
It is possible that Yahoo has not known about the breach very long — on average, it takes a company as much as 18 months for a company to discover a breach, according to the Verizon Data Breach Report. "Which is scary, but it's true," said Evans.
"If we find out that they knew about this breach two years ago, then there's going to be some hard questions about why they didn't disclose it," he said.
If investigators find that Yahoo failed to comply with required reporting laws governing public companies and those that handle payments information, the situation will quickly escalate, said Evans.
"When it's something intentional, and there was obvious intention to defraud, then that's more impetus for congressional hearings," he said.