Yahoo revealed some bad news for its users. The company stated that a forged cookie attack managed to access no less than 32 million accounts. Yahoo actually stated that it believes this attack could be linked to a massive data breach that occurred in 2014.
Yahoo claimed that a total of 32 million accounts were accessed by hackers during the past two years. The attackers used forged cookies to log in to the accounts without needing a password. The company made the disclosure in a regulatory filing to the Securities and Exchange Commission this week.
“Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookie,” the company stated. “The Outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016,” the statement added.
“We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts.”
Yahoo also added that it now acted against the attack, meaning that the forged cookies have been invalidated to prevent further use. The news that this hack occurred is not actually new. Yahoo first disclosed it back in December 2016.
However, the announcement did not get too much attention, as at that time Yahoo also disclosed that hackers stole information from 1 billion company accounts back in 2013. Of course, the news drew a lot of media attention and criticism on the company. The company refused to provide too much information on what happened, but it has also been revealed that the company’s general counsel and secretary also decided to resign.
“In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement,” Yahoo stated in its regulatory filing. So, the resignations were announced after being revealed that senior executives from the company, as well as its legal team, failed to correctly pursue all threats on a potential attack.