Over the last year, Yahoo has found itself in hot waters because of the two massive breaches it disclosed right after its acquisition. The search giant had then said that the state-sponsored breach affected about a billion users, where intruders used forged cookies instead of passwords to breach email accounts. Today, in a K-10 filing, Yahoo revealed that the said method was used to gain access to over 32 million user accounts in the last two years.
In the document filed with the U.S Securities and Exchange Commission (SEC), Yahoo states that the hackers used the code obtained from the breach to forge cookies and access these accounts. It further added that some of the recent intrusions can be traced back to the first massive breach in 2014, which affected about 500 million accounts. The same has been described in the filing as under,
Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies. We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 security incident. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016.
Last month, Yahoo sent out an email notifying users that their account may have been accessed via forged cookies. They had all been intimated to take necessary steps — password change and setting up two-factor authentication — to bolster their account security. It also invalidated all those cookies so the hackers can no longer gain access to user accounts. For those unaware, cookies are little web browser tokens which store information corresponding to certain websites, thus, you’re not required to enter stored info the second time.
This disclosure from the search giant comes on the heels of the much-awaited statement from Yahoo CEO Marissa Mayer, who is not taking the fall for the breach of security at her company. Instead, she’s using Yahoo general counsel Ron Bell as the scapegoat for the massive breaches and is herself just foregoing her annual bonus and annual equity grant this year. She has announced that these said grants be distributed among the Yahoo employees.
The hubbub surrounding Yahoo started mere days after its $4.8 billion acquisition by Verizon, which has since been slashed by $350 million. Verizon has cut the transaction price because Yahoo was not forthcoming with the breach information and that it could have material effects in the future.
Last September, the search giant first reported that intruders had breached their servers back in 2014 and affected close to 500 million accounts in the process. It was called the biggest data breach in history, where hackers gained access to personal information while the payment data was all safe and sound. This breach was further topped up another disclosure, which some employees admitted of having knowledge of, that affected even more — a billion accounts and happened back in 2013.
These breaches, thus, caused mass-spread anxiety among users and called for an external investigation into the same. They questioned the company’s delay in making everyone aware of these massive security breaches in their email servers. With regards to the same, the filing reads,
In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement.
While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.