In its recent annual filing with the US Securities and Exchange Commission (SEC), Yahoo admitted that it believes 32 million user accounts were breached as a result of "cookie forging activity."
Although this breach was separate from the 2014 breach that affected 500 million accounts, Yahoo said it believes that the same state-sponsored actor connected to the 2014 breach may have been responsible for the cookie forging activity, the filing said. However, the filing also noted that the forged cookies have since been invalidated by Yahoo and can no longer be used to access user accounts.
In a Tumblr (owned by Yahoo) blog post on Wednesday, Yahoo CEO Marissa Mayer wrote: "When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies." Mayer also said that since the incident happened under her tenure, she would be forgoing her annual bonus and equity grant as well.
As reported by ZDNet's Zack Whittaker, Yahoo began alerting users of the impact of the cookie forging attack in February 2017. Now, Yahoo has confirmed just how many accounts were affected, and while they pale in comparison to the 500 million affected in 2014 and the 1 billion accounts stolen in 2013, it's still a major hit to the company and its brand.
Cookies are small files, stored on a user's computer, that are accessed by the web browser in order to identify the user and tailor web content for them. As noted in its in the Yahoo filing, "an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies."
Essentially, after forging the cookies, the Yahoo attacker was able to access the 32 million affected accounts without a password. In this instance, prompting a user to change his or her password, a common first step in remedying a situation like this, would have had no effect.
Yahoo didn't disclose exactly how the attacker forged the cookies, but just that they "accessed the Company's proprietary code," so it isn't very clear how a company could defend against a similar attack. However, an initial step organizations can take is to make sure that your website is on HTTPS and that it is using secure cookies.
One thing that's becoming increasingly clear is how much of a financial impact Yahoo's security failures are causing. At the very least, this should serve as a cautionary tale for every C-level executive to make sure security is prioritized in the boardroom and elsewhere.
The 3 big takeaways for TechRepublic readers
- Forged cookies were used to access 32 million Yahoo accounts in 2015 and 2016.
- The recent attack is separate from Yahoo's other 2013 and 2014 breaches, which left 1.5 million accounts compromised.
- Users should prioritize security in their organization, making sure their website is on HTTPS and they are using secure cookies.
- Yahoo changes name to Altaba Inc. after Verizon acquisition (TechRepublic)
- Yahoo says forged cookie attack accessed about 32M accounts (CNET)
- Yahoo confirms 500M accounts leaked in massive data breach (TechRepublic)
- Yahoo's security follies add up to real money: Will companies learn from Yahoo's mistakes? (ZDNet)
- After hacks, Verizon cuts Yahoo price by $1.55 per customer (ZDNet)