Connect with us

Hi, what are you looking for?



Forged Cookie Attack Affected 32 Million Yahoo Users

The recently disclosed security incident involving forged cookies affected 32 million user accounts, Yahoo said in its annual filing to the U.S. Securities and Exchange Commission (SEC).

The recently disclosed security incident involving forged cookies affected 32 million user accounts, Yahoo said in its annual filing to the U.S. Securities and Exchange Commission (SEC).

Yahoo has suffered several major breaches over the past years, which led to the company slashing the price of the $4.8 billion Verizon acquisition deal by $350 million.

The Internet giant disclosed one of the breaches in September 2016, when it told users that a threat actor, believed to be sponsored by a nation state, had stolen roughly 500 million accounts from its network in late 2014. In December 2016, the company disclosed an even bigger breach, one that occurred in August 2013 and affected one billion accounts.

An investigation also revealed that attackers, believed to be connected to the group behind the 2014 incident, used their access to the company’s systems to forge cookies that allowed them to log into accounts without needing a password. Investigators determined that the forged cookies were used or taken in 2015 and 2016, and the incident affected approximately 32 million accounts.

A probe conducted by outside investigators determined that the 2014 incident was not properly investigated. Yahoo became aware in late 2014 that a suspected state-sponsored actor had exploited the company’s account management tool to access 26 user accounts, but it did not investigate further. Yahoo said in its SEC filing:

 “While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.


Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.”

Advertisement. Scroll to continue reading.

In a blog post published on Tumblr on Wednesday, Yahoo CEO Marissa Mayer said she decided to forgo her annual bonus (up to $2 million) and equity grant (roughly $12 million). Mayer said she expressed her desire to have the bonus distributed to the “company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.”

More than 40 class actions have been filed against Yahoo over the security incidents, and the company said it had spent $16 million by the end of 2016, including on forensics investigations, remediation activities and legal fees.

Related: Hacker Selling Credentials of 200 Million Yahoo Users

Related: UK Man Involved in 2012 Yahoo Hack Sentenced to Prison

Related: Yahoo Faces SEC Probe into Breach Disclosures

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...