“The Company had identified that a state-sponsored actor had access to the Company’s network in late 2014,” Yahoo’s most recent 10-k form said of the security breach. Yahoo reported two months ago that personal information associated with at least a half billion user accounts had been stolen in a theft linked to the two-year-old intrusion.
In the filing, earlier reported by The Financial Times, Yahoo (YHOO) said that it had set up an independent committee of its board to investigate the matter, including “the scope of the knowledge within the company in 2014 and thereafter regarding this access,” as well as “the extent to which certain users’ account information had been accessed.” Looted customer data included email addresses, telephone numbers, dates of birth, hashed passwords, and answers to security questions.
Get Data Sheet, Fortune’s technology newsletter.
Although some Yahoo staffers may not have been surprised to learn about the network intrusion, what did surprise them was the extent of the breach, a source familiar with the investigation, who requested anonymity due to its ongoing nature, told Fortune.
“It wasn’t until this most recent intensification of the investigation that really gave the full scope of what occurred,” the source said, referring to the company’s renewed interest in reviewing its security posture after it began investigating the claims of a hacker earlier this year.
In August, tech blog Vice Motherboard reported that a hacker claimed to be selling hundreds of millions of Yahoo accounts online. Yahoo ultimately determined that the claim had no basis; however, the finding prompted the company to reassess its cyber defenses, which led to the revelation of an earlier and more extensive data breach, the company has said.
The latest SEC filing revealed more information about the 2014 hacking incident, disclosed on Sept. 22. For instance, Yahoo said its forensics investigators believe the state-sponsored attacker maintained access to customers’ email accounts through cookie forgery, an attack method that can bypass password protections.
The source familiar with the investigation told Fortune that the company believes that Yahoo Mail and its users are no longer vulnerable to the attack.
Yahoo said it paid $1 million in breach-related expenses in the most recent quarter ending Sept. 30, and that 23 class action lawsuits related to the breach have been filed against it. The company continues to maintain that the breach “did not have a material adverse impact on our business.”
Verizon (VZ) is currently mulling a $4.8 billion acquisition of Yahoo. Onlookers have questioned whether ongoing revelations about the breach—as well as an alleged, unrelated United States intelligence agency-sanctioned email-scanning program—might put the deal in jeopardy.
“We are confident in Yahoo’s value and we continue to work towards integration with Verizon,” a Yahoo spokesperson said in a statement provided to Fortune.
In a recent earnings call, Marissa Mayer, CEO of Yahoo, reported that the hacking incident and its disclosure had not affected user engagement metrics, an important measure for Yahoo’s ad business. Scrutinizers of the earnings call, such as Fortune’s Jeff John Roberts, have pointed out that a slight uptick in Yahoo Mail activity could be attributed to victims logging in to change their account passwords.
“We’re still evaluating the situation and haven’t come to any conclusions,” wrote Jim Gerace, Verizon’s chief communication officer, in an email to Fortune, when asked about how the latest disclosures might impact the pending Yahoo acquisition.
Yahoo also mentioned in the SEC filing that law enforcement on Monday had provided the company with another dataset, which a hacker claimed to contain Yahoo user account data. Yahoo did not reveal any other details about the cache, or whether it had any relation to the pending investigation.
Yahoo said that it was investigating the hacker’s claims.