Yahoo! Inc. (NASDAQ:YHOO) is notifying people that they may have been affected by an attack in which an intruder created forged cookies that would have granted access to accounts without the need for a password. The incidents are part of the data theft that Yahoo disclosed on Sept. 22 of last year. In that attack, at least 500 million Yahoo accounts were stolen from the company.
Yahoo said the investigation into the breach “has identified user accounts for which we believe forged cookies were taken or used.” Cookies are long string of characters stored by a computer to make it easy to log into a site when the user returns. If the cookies are stolen or forged by a hacker, they can be used to access the users’ accounts.
Yahoo sent emails to users saying “we believe a forged cookie may have been used in 2015 or 2016 to access your account.” The email is signed at the bottom by Bob Lord, Yahoo’s chief information security officer. It’s unclear why users are receiving the notification now, months after Yahoo first disclosed the cookie attacks. Yahoo says that it has invalidated the forged cookies so they cannot be used again.
Yahoo did not disclose how many user accounts were compromised by the forging of the cookies. Security experts say that if attackers created viable forged cookies, it indicates that they first stole critical parts of Yahoo’s network infrastructure. That means that the hackers could have created another way in that the company hasn’t yet discovered.
Yahoo also disclosed the largest reported data breach ever in December 2016, involving the theft of data from more than one billion user accounts in August 2013. Yahoo believes that the attacks were performed by a state-sponsored actor. The Securities and Exchange Commission is reportedly investigating both breaches. Yahoo said that it was cooperating with the SEC, Federal Trade Commission and other federal, state, and foreign governmental officials and agencies investigating the company’s practices.
Reports have emerged of a tentative renegotiated deal for Verizon Communications’ acquisition of Yahoo’s core business. The renegotiated deal would reportedly give the telecom giant a $250 million discount on its original $4.8 billion bid. The price cut appears to indicate the troubled deal will go through. Yahoo said that after the acquisition by Verizon, it would reduce the size of its board of directors.