Yahoo has issued a new warning to account holders about malicious hacks linked to a third data breach that the company disclosed late last year.
The warning relates to more recent malicious activity targeting accounts between 2015 and 2016, most likely perpetrated by a “state actor,” according to Yahoo. Specifically, the hacks were achieved by using form of “forged” cookies – text-based keys that give web users access to username and password information without having to re-enter it – created by software stolen from within Yahoo’s internal systems.
A warning message was sent to affected Yahoo users on Wednesday, warning them of the unauthorized access to their account, but Yahoo did not reveal how many people were notified.
“Outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson told Associated Press. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders.”
Yahoo’s announcement came just hours after reports that Verizon was close to a renegotiated deal to buy Yahoo’s core assets at a lower price. Last year, Verizon agreed to buy Yahoo’s core business for $4.83 billion, but on Wednesday Bloomberg News reported that the renegotiated deal would knock about $250 million off that price because of the security breaches that were revealed after the initial deal was agreed.
— Joshua B. Plotkin (@jplotkin) February 15, 2017
Back in September, Yahoo revealed that hackers had stolen the personal data of “at least” 500 million users, but by December, the internet company admitted that over one billion Yahoo user accounts had been compromised in a separate hack dating back to August 2013. Information stolen included names, email addresses, phone numbers, birth dates, hashed passwords, security questions and answers.
The internet company is currently under investigation from the Securities and Exchange Commission over its failure to disclose its massive data breaches sooner.
Discuss this article in our forums