Forged cookies behind breach of 32m Yahoo accounts

By

Connects forgery to 2014 hack.

Yahoo, which disclosed two massive data breaches last year, has revealed that about 32 million user accounts were accessed by intruders in the last two years using forged cookies.

Forged cookies behind breach of 32m Yahoo accounts

The company said some of the latest intrusions can be connected to the "same state-sponsored actor believed to be responsible for the 2014 breach", in which at least 500 million accounts were affected.

"Based on the investigation, we believe an unauthorised third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its latest annual filing.

These cookies have been invalidated so they cannot be used to access user accounts, the company said.

Forged cookies allow an intruder to access a user's account without a password.

Yahoo has been emailing its customers over the past two weeks to let them know that their accounts may have been breached by hackers using forged cookies. It first disclosed the use of forged cookies last November.

Yahoo also said in December that data from more than 1 billion user accounts was compromised in August 2013, making it the largest breach in history.

The company today said it would not award chief executive Marissa Mayer a cash bonus for 2016, following the independent committee's findings related to the 2014 security incident.

Mayer has also offered to forgo any 2017 annual equity award as the breaches occurred during her tenure, Yahoo said.

Last month, Verizon Communications, which is in the process of buying Yahoo's core assets, lowered its original offer by US$350 million to US$4.48 billion.

Got a news tip for our journalists? Share it with us anonymously here.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Log In

  |  Forgot your password?