Yahoo says forged cookie attack accessed about 32M accounts

From CNET: Yahoo has revealed that 32 million is the number of user accounts accessed in the past two years by hackers who used forged cookies to log in without a password.

The company said in a regulatory filing Wednesday that the cookie caper is likely connected to the "same state-sponsored actor" thought to be behind a separate, 2014 breach that resulted in the theft of user information from 500 million user accounts.

"Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its annual filing to the Securities and Exchange Commission. The company went on to say the forged cookies have been invalidated to prevent further use on accounts.

Yahoo revealed the cookie caper in December, but the news was largely overlooked because the company announced at the same time that it had identified yet another security breach, which took place in 2013. In that breach, hackers stole information on 1 billion Yahoo accounts.

The scope of the cookie caper was revealed the same day Yahoo CEO Marissa Mayer said she would forgo her annual bonus and any 2017 equity in response to findings from an investigation by the company's board into the hacks. Ronald Bell, Yahoo's general counsel and secretary, also resigned as of Wednesday after the company revealed that senior executives and Yahoo's legal team didn't sufficiently pursue the security incidents.

View: Article @ Source Site