Study: Fake cookies gave access to 32 million Yahoo accounts
Yahoo has released the results of an investigation into account access through counterfeit cookies. It shows that attackers were able to penetrate 32 million accounts in 2015 and 2016.
In its annual report, Yahoo writes that it is likely the same national party as responsible for the theft of 500 million account data in 2014. In December, the internet company announced that accounts may have been accessed using cookies. It now says that a third party had access to the ‘proprietary code’, which enabled it to forge cookies. For the 32 million affected accounts, the cookies were ‘stolen or used’. Yahoo does not disclose exactly how that happened.
The report further reveals that Yahoo was aware in 2014 that a third party was accessing user accounts. At the time, it made the decision to inform 26 users, who were specifically targeted by the attacks. The investigation into the incident further revealed that some members of the company’s board responded incorrectly to the information by not taking any action.
Yahoo CEO Marissa Mayer announced in her own blog post that she will waive her annual bonus and will have it paid out to employees. It concerns a cash bonus of two million dollars and shares of several million dollars. Yahoo is in a takeover process with the American provider Verizon. It recently emerged that the purchase price was reduced by $350 million as a result of the security incidents. In another hack in 2013, a billion user accounts were stolen.