Yahoo provided more details on Wednesday about an epic hack of its services, including that the culprits may have planted software “cookies” for ongoing access to users’ accounts.
In revelations that could jeopardize the company’s pending $4.8 billion acquisition by US telecom giant Verizon, the internet pioneer said it was trying to pin down when it first knew its system had been breached and whether hackers gave themselves a way to get back into accounts whenever they wished.
“Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information,” Yahoo said in a filing with the US Securities and Exchange Commission.
There is no evidence the state-sponsored actor is still active in the California-based company’s network, Yahoo told regulators.
Investigators are also trying to figure out how much people at Yahoo knew about the hack in late 2014, when the breach took place, according to the filing.
Yahoo announced the breach in September, saying it affected at least 500 million customers.
Stolen user information included names, email addresses and answers to security questions, but did not include payment card data or unscrambled passwords, according to Yahoo.
The company warned users after checking into a hacker’s claim of having stolen data. Yahoo said in the SEC filing that law enforcement officials this week shared more data that a hacker claimed was pilfered from Yahoo, saying it was checking the authenticity.
There have been 23 lawsuits filed on behalf of Yahoo users claiming they were harmed by the hack, according to the filing.
A Verizon executive overseeing the purchase of Yahoo said last month that the deal was moving ahead pending the outcome of an investigation into the hack.
“We are not going to jump off a cliff blindly, but strategically the deal still does make sense to us,” Verizon executive vice president Marni Walden said at a technology conference in California.
“What we have to be careful about is what we don’t know.” He declined to comment on what information or circumstances might cause Verizon to walk away from the deal inked in July.
The company said earlier this month that the breach affecting Yahoo customers could have a “material” effect on the acquisition. Yahoo also warned of the possibility in its filing.
The use of the term “material” suggests a substantive change in Yahoo’s value that was not previously known, and which could allow the telecom group to lower its offer or scrap the deal.
