Six Democratic U.S. senators have written to Yahoo Inc. Chief Executive Marissa Mayer, seeking answers to questions about the company's 500 million-account data breach, thought to be the largest ever.
The letter, sent Tuesday, notes that Yahoo said the breach occurred in late 2014, yet was only disclosed last week. "That means millions of Americans' data may have been compromised for two years," the senators wrote. "This is unacceptable."
"We have received the letter and will work to respond in a timely and appropriate manner," a Yahoo spokesman said Tuesday in an email message.
Yahoo said last week that the 2014 breach was carried out by "state-sponsored" actors, but that the company was unaware of the incident until this year. On Friday, The Wall Street Journal reported that Yahoo first notified the Federal Bureau of Investigation in fall 2014, after 30 to 40 accounts had been compromised, in a breach the company linked to Russian hackers.
At the time, company executives didn't believe that the breach was widespread and notified only the affected users, according to a person familiar with the matter.
Although it is not uncommon for consumers to be notified years after a breach, the delay can create problems for consumers and diminish the intended effects of breach-notification laws, said Michael Overly, an intellectual-property lawyer with Foley & Lardner LLP.
"If the time delay between breach and the company learning about it is two years," Mr. Overly said, "the horse has not only escaped the barn, but the barn has fallen from disuse."
In their letter, the senators ask Ms. Mayer for a timeline detailing when and how Yahoo learned of the breach, a list of affected services and an explanation for how the incident could have gone undetected for so long. They also ask for a briefing by Yahoo so they can understand how Yahoo and law enforcement investigated the incident and how the company intends to protect consumers in the future.
The signers are Sens. Patrick Leahy of Vermont, Al Franken of Minnesota, Elizabeth Warren of Massachusetts, Richard Blumenthal of Connecticut, Ron Wyden of Oregon and Edward J. Markey of Massachusetts.
The internet company said last week it started investigating the breach in July, around the time it said it would sell its core assets to Verizon Communications Inc. for $4.8 billion. In a Sept. 9 proxy statement related to the deal, Yahoo said it wasn't aware of any "security breaches" or "loss, theft, unauthorized access or acquisition" of user data.
Write to Robert McMillan at Robert.Mcmillan@wsj.com