32M Yahoo accounts hacked in forged cookie attack

Yahoo’s annual report released Wednesday discloses that 32 million accounts are believed to have been compromised using forged cookies. 

In mid-February, The Associated Press reported the company began notifying users of these potential breaches, though the full scope of the attack was not known. Though possibly related to other major breaches at the company, including a 2013 breach of 1 billion accounts, the forged cookie attacks are separate attacks. 

The yearly Securities and Exchange Commission (SEC) filing notes: “[B]ased on an investigation by its outside forensic experts, it believes an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The Outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016. …

{mosads}”We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts.”

The SEC filing notes that CEO Marissa Mayer was stripped of a 2016 cash bonus that she would have otherwise received due to the series of breaches, and Mayer further offered to forgo a 2017 equity award for the same reasons.