Security Experts:

Forged Cookie Attack Affected 32 Million Yahoo Users

The recently disclosed security incident involving forged cookies affected 32 million user accounts, Yahoo said in its annual filing to the U.S. Securities and Exchange Commission (SEC).

Yahoo has suffered several major breaches over the past years, which led to the company slashing the price of the $4.8 billion Verizon acquisition deal by $350 million.

The Internet giant disclosed one of the breaches in September 2016, when it told users that a threat actor, believed to be sponsored by a nation state, had stolen roughly 500 million accounts from its network in late 2014. In December 2016, the company disclosed an even bigger breach, one that occurred in August 2013 and affected one billion accounts.

An investigation also revealed that attackers, believed to be connected to the group behind the 2014 incident, used their access to the company’s systems to forge cookies that allowed them to log into accounts without needing a password. Investigators determined that the forged cookies were used or taken in 2015 and 2016, and the incident affected approximately 32 million accounts.

A probe conducted by outside investigators determined that the 2014 incident was not properly investigated. Yahoo became aware in late 2014 that a suspected state-sponsored actor had exploited the company’s account management tool to access 26 user accounts, but it did not investigate further. Yahoo said in its SEC filing:

 “While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.


Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.”

In a blog post published on Tumblr on Wednesday, Yahoo CEO Marissa Mayer said she decided to forgo her annual bonus (up to $2 million) and equity grant (roughly $12 million). Mayer said she expressed her desire to have the bonus distributed to the “company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.”

More than 40 class actions have been filed against Yahoo over the security incidents, and the company said it had spent $16 million by the end of 2016, including on forensics investigations, remediation activities and legal fees.

Related: Hacker Selling Credentials of 200 Million Yahoo Users

Related: UK Man Involved in 2012 Yahoo Hack Sentenced to Prison

Related: Yahoo Faces SEC Probe into Breach Disclosures

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.