A statement from Yahoo earlier this week seemed to confirm that servers had been hacked due to the Shellshock bug. The company now says that while three of its servers were affected by a hack, Shellshock was not involved. A full investigation was completed after the release of Yahoo's first statement, and the company says the investigation turned up no connection to Shellshock.
Instead of exploiting Shellshock, hackers got into the Yahoo servers by writing code that mimicked some of its own official software. Though, Alex Stamos, Yahoo's Chief Information Security Officer, says the hack may have been carried out in search of Shellshock vulnerable servers.
Security researcher Jonathan Hall says he was the one who contacted Yahoo about the hack, and he says the company was not grateful and refused to reward him. Though, Stamos claims Hall never used official bug bounty channels to contact Yahoo about the issue.