Yahoo continues its downhill slide as an investigation by the US Securities and Exchange Commission (SEC) confirmed more than 32 million accounts were breached in a cookie-forging attack dating back to 2015 and 2016.
The news follows two separate massive breaches affecting over 500 million and one billion users in 2014 and 2013 respectively. While details remain inconclusive, the investigation asserts the attack could have been linked to the 2014 hackings to some extent.
The breach involved a sophisticated attack vector that relied on cookie forgery to obtain access to user accounts. According to the filed documents, the affected cookies have since been invalidated.
This is what Yahoo wrote in the SEC filings:
In November and December 2016, we disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the investigation, we believe an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 (the “Cookie Forging Activity”). We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts.
The SEC initially vowed to look into the hackings after allegations that Yahoo had sufficient knowledge of the situation to disclose the attacks earlier in 2014.
The findings note that during the internal investigation conducted by Yahoo back in 2014, the company was able to link back the attack to at least 26 compromised accounts. The owners of these accounts have since been notified.
More worryingly though, the government agency concluded that certain unnamed senior executives failed to “properly comprehend or investigate” the full extent of the breach. It also stated the Yahoo legal team had sufficient information to open further inquiry back in 2014.
“The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident,” the filing reads.
In light of these developments, today Marissa Mayer announced in a Tumblr post that she is fully taking responsibilities for these blunders as the CEO of Yahoo.
Mayer further said she has agreed to forgo her annual bonus and equity grant, expressing a desire that her additional compensation be redistributed to “company’s hardworking employees.”
Meanwhile, Yahoo has agreed to give Verizon a massive $350 million discount on its initial $4.8 billion buyout valuation. But with all this drama surrounding the search engine service, one must really wonder when this high-profile acquisition eventually turns into a massive liability for the mobile carrier.