March 2, 2017 3:54:26 pm
Yahoo, which faced two of the biggest data breaches in the history, revealed in a K-10 filling that forged cookies (not passwords) were used by hackers to gain access to 32 million accounts. The company, in a document filed with the US Securities and Exchange Commission (SEC) said the same method is believed to be used in the 2014 ‘Security Incident’. “The forged cookies have been invalidated by the Company so they cannot be used to access user accounts,” it said.
Yahoo’s network was breached twice; once in 2013 with one billion accounts affected, and the second time in 2014 with 500 million accounts affected. Yahoo had earlier said the “investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information.” Now Yahoo has confirmed hackers used forged cookies and not passwords to breach in to the accounts of 32 million users.
Yahoo’s filling reads, “The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 (the “Cookie Forging Activity”). We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident.”
Following the revelation, Yahoo parted ways with its top lawyer for the mishandling of security breaches. Additionally, Yahoo CEO Marissa Mayer won’t be paid her annual bonus nor receive a potentially lucrative stock award because a Yahoo investigation concluded her management team reacted too slowly to one breach discovered in 2014.
Yahoo had admitted some of its staff knew about a possible 2014 hacking. However, the company first revealed about a data breach on 22 September, 2016. Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about 1 billion accounts. According to the SEC filling, “In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement.”
Alex Stamos, Yahoo’s top security officer at the time of the 2014 breach, left the company in 2015 while company’s general counsel Ronald Bell has resigned without severance pay for his department’s lackadaisical response to the security lapses. Verizon Communications Inc lowered its original offer to buy Yahoo Inc’s core business by $350 million following the two cyber attacks.
delivered to you
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.