Continuing the ongoing trend, Yahoo today revealed that some 32 million accounts have been accessed by intruders over the past two years. These accounts are in addition to the accounts affected by the two data breaches the company had previously disclosed.
According to Reuters, the accounts were compromised using forged cookies. Yahoo is currently of the belief that the accounts were accessed by the “same state-sponsored actor beloved to be responsible for the 2014 hack.” For those keeping track, the 2014 hack was the one that affected at least 500 million accounts.
“Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies,” Yahoo said in its latest annual filing.
To remedy the issue, Yahoo says that it has invalidated those cookies so that they cannot be used to access user accounts any longer.
Additionally, Yahoo announced today that it would not award CEO Marissa Mayer a cash bonus for 2016 due to the findings of an independent committee’s research into the 2014 security problems. Mayer has also offered to pass up any 2017 annual equity award because of the data breaches.
Much has been made about Yahoo’s security over recent years. In September of last year, Yahoo confirmed that 500 million user accounts had been breached during a hack in late 2014. As if that wasn’t enough, though, Yahoo announced in December of last year that another 1 billion accounts were accessed in a data breach that occurred all the way back in 2013.
All three of these data breaches have come as Yahoo is in the midst of being acquired by Verizon. In response to the security concerns, Verizon revealed last month that it was cutting $350 million from its acquisition price of the company, bringing the price down to $4.48 billion.
Verizon’s acquisition of Yahoo is expected to close during the during the second quarter of this year. Though, Verizon has said that the data breaches may delay “some integration of Yahoo with Verizon after the closing.”
As always, we strongly recommend ensuring that you have the strongest security possible on all of your accounts, especially if you were a Yahoo user during the times of these breaches. So, pretty much if you were ever a Yahoo user.