Yahoo finally admitted that details fo 32 million users Yahoo.
An unauthorised third party has the company’s proprietary code and learned how to forge the cookies. Yahoo strongly believes that this is the same hacker who caused the 2014 data breach.
Yahoo disclosed in its annual report filed with SEC saying “The forensic experts from outside have identified nearly 32 million user accounts and attackers are believed to have used forged cookies were to take over back in 2015 and 2016.”
Although the incident is popular and the company has even admitted that high-level execs are aware of what has happened in the previous years, the problem is only mentioned in last autumn in the SEC filing. Customers are only warned a few weeks back, and that their accounts may have been accessed by the use of this sophisticated cookie forging attack.
Yahoo has disclosed a massive data breach back in September 2016. The company said that the 500 million accounts which are affected by an unknown actor in 2014. According to these latest filing, Yahoo knew about that the incident from that is the very same year but failed to inform users or make proper security updates.
In December 2016, Yahoo one-upped itself by revealing a 2013 data breach which affected 1 billion accounts.
Email addresses, hashed passwords, names, phone numbers, security questions and more were exposed in both these data breaches.
Up to now, Yahoo says there are 43 putative consumer class action lawsuits filed against Yahoo relating to the security incidents. This is not surprising considering how many people were affected by these data breaches. The fact that Yahoo knew about at least one of them will surely weight in favour of those suing Yahoo, as it should.
The data breaches managed to cut down Yahoo’s selling price to Verizon by $350 million, but it’s really a surprise that it did not cancel it altogether.