32 Million Yahoo Accounts Were Compromised Using Malicious Cookies
Yahoo's investigation showed that about 32 million user accounts were accessed by intruders in the last two years using forged cookies.
The company said some of the latest intrusions can be connected to the "same state-sponsored actor believed to be responsible for the 2014 breach", in which at least 500 million accounts were affected.
"Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its latest annual filing.
Forged cookies allow an intruder to access a user's account without a password. To protect users, the company has forced password resets and invalidated the forged cookies.
The 2014 breach involved the theft of user account details such as email addresses, telephone numbers, and hashed passwords. After Yahoo went public with it, the company established an independent committee to investigate the matter.
The committee found that Yahoo's security team and senior executives actually knew that a state-sponsored actor had hacked certain user accounts back in 2014, according to the filing. But even as the company took some remedial actions, such as notifying 26 users targeted in the hack and adding new security features, some senior executives allegedly failed to comprehend or investigate the incident further.
"As a result, the 2014 security Incident was not properly investigated and analyzed at the time," the filing said.
Yahoo also said in December that data from more than 1 billion user accounts was compromised in August 2013, making it the largest breach in history.
The company said on Wednesday that it would not award Chief Executive Marissa Mayer a cash bonus for 2016.
"When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies, said Mayer. "However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company's hardworking employees, who contributed so much to Yahoo's success in 2016."
Last month, Verizon Communications, which is in the process of buying Yahoo's core assets, lowered its original offer by $350 million to $4.48 billion.