The hackers purportedly relied on a sophisticated cookie forging exploit that could be executed without the need to acquire user passwords, ZDNet reports.
The announcement follows a series of high-profile breaches Yahoo reported last year. Last September the Sunnyvale giant revealed it had suffered a massive attack affecting more than half a million users; then three months later, it came forward with another major breach putting over a billion users at risk.
“The investigation has identified user accounts for which we believe forged cookies were taken or used,” a company spokesperson confirmed. “Yahoo is in the process of notifying all potentially affected account holders.”
The Sunnyvale company further remarked that, following the breach, it has invalidated the cookies, therefore effectively cutting off the hackers.
The news comes shortly after reports that Verizon is finally closing in on its prolonged negotiations to acquire Yahoo. While the two companies initially agreed on a $4.83 billion buyout offer, Verizon is likely to get a hefty price cut of between $250 and $350 million following the string of hackings.
Meanwhile, Yahoo was recently said to be under investigation by the Securities and Exchange Commission for delaying its data breach announcements for years.
Time to delete that Yahoo account and put the matter to bed.