Yahoo is warning some of its users that their accounts might have been breached by intruders using forged cookies, allowing them to access private information without knowing users’ passwords.
Cookies are pieces of code stored by browsers to, among other things, keep track of whether a user is logged into a password-protected account. They’re also used for innocuous functions, such as keeping track of online shopping cart contents.
This latest warning to users stems from an ongoing investigation into previously disclosed hacking of at least 500 million user accounts in 2014. Ars Technica reported that Yahoo sent emails this week to users stating that “based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”
The company first revealed the data breach in September 2016, as The Two-Way reported.
In December, Yahoo disclosed a separate hacking incident of more than 1 billion accounts in 2013, as we reported.
In a November regulatory filing, Yahoo mentioned the possibility that in addition to hacking of security questions to access user accounts, forged cookies might have been used to steal private user information, explaining:
“Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”
In a December regulatory filing, the company provided further information, including that it had connected some of the forged cookies to “the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
The December filing continued:
“Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies.”
A spokesperson for Yahoo declined to say how many user accounts had been accessed using forged cookies, but told NPR on Thursday that the company was in its final stages of its investigation into the data breach.
The repeated revelations about Yahoo’s account security appear to have affected a proposed deal to be acquired by Verizon. When the deal was announced in July 2016, the price tag for Yahoo was $4.8 billion, as we reported.
On Wednesday, that price appeared to be dropping, according to The New York Times, which added:
“Yahoo is close to renegotiating its original deal, choosing to take close to $300 million off the price to preserve the sale, a person with knowledge of the matter said on Wednesday.
“Under the revised terms, the two companies are expected to share legal responsibility and costs for the data breaches, the person with knowledge of the matter said.”
Bloomberg reported a slightly smaller decrease in Yahoo’s asking price, closer to $250 million. Both outlets said negotiations between Yahoo and Verizon were ongoing.