Yahoo revealed Wednesday that about 32 million user accounts were accessed by hackers in the past two years using forged cookies that allowed them to log into accounts without using a password.
The company said in a regulatory filing that the attack is likely connected to the “same state-sponsored actor believed to be responsible for the 2014 [breach],” which resulted in the theft of user information from 500 million user accounts.
“Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies,” Yahoo said in its annual filing to the Securities and Exchange Commission. The company went on to say that forged cookies have been invalidated to prevent further use on accounts.
Yahoo revealed the attack in December but the news was largely overlooked because the company announced at the same time it had identified a separate security breach that took place in 2013 in which hackers stole information on 1 billion Yahoo accounts.
The scope of the attack was revealed the same day that Yahoo CEO Marissa Mayer announced that she would forgo her annual bonus and any 2017 equity in response to findings from an investigation into the hacks conducted by the company’s board. Ronald Bell, Yahoo’s general counsel and secretary, also resigned as of Wednesday after the company revealed that senior executives and Yahoo’s legal team didn’t sufficiently pursue the security incidents.
Yahoo declined to comment on the matter beyond what it included in its filing.
CNET Magazine: Check out a sampling of the stories you’ll find in CNET’s newsstand edition.
Life, disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it? CNET investigates.