Yahoo has been repeatedly victimized by nefarious high-profile hacking incidents one of which affected over half a million account holders. Several months after that attack, Yahoo admitted to having been the victim of another breach dating back to 2015 that put over half a million account holders at risk.
The United States Securities and Exchange Commission (SEC) confirmed that more than thirty two million Yahoo accounts were hacked in a cookie forging attack that dates back to 2015.
Apparently, hackers used a sophisticated cookie forging exploit which they were able to execute without having to know or use account passwords.
Yahoo will determine which accounts were invaded by hackers that took or used forged cookies and will notify account holders potentially affected by the breach. The tech giant identified and invalidated the cookies which essentially cut off the hackers.
Regarding the cookie forging exploit, Yahoo wrote in SEC filings:
“In November and December 2016, we disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the investigation, we believe an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 (the “Cookie Forging Activity”). We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts.”
Internal investigation by the SEC determined that Yahoo had enough knowledge of the hacking situation to disclose it in 2014, that several unidentified senior executives of the company failed to “properly comprehend or investigate” the breach and that its legal team should have opened an inquiry about the hacking in 2014. An SEC filing states:
“The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident.”
This latest information saved Verizon $350 million in its prolonged negotiations to acquire Yahoo which will be deducted from its initial $4.83 billion buyout offer. Also in light of these recent developments, Yahoo’s Chief Executive Officer (CEO) has agreed to take full responsibility for the oversights and will forgo the annual bonus and equity grant which will be redistributed to Yahoo employees.