Investigators have confirmed that attackers used or took forged cookies for 32 million Yahoo accounts after stealing the company’s proprietary software.
In a filing submitted to the U.S. Securities and Exchange Commission, Yahoo explains that an Independent Committee of the Board of Directors analyzed three security incidents that the company disclosed in 2016. One event, known as the “2014 Security Incident,” made headlines on September 22, 2016, when the technology giant revealed that hackers had stolen account information for more than 500 million of its users.
It was just a few months later that Yahoo disclosed two other incidents: the “2013 Security Incident,” a theft of more than a billion user’s account information in an attack which appears distinct from the 2014 Security Incident; and an unauthorized third-party’s theft of proprietary code that allowed attackers to forge cookies for users and thereby access their accounts without a password.
The free email provider has warned users several times about this “Cookie Forgery Activity” since it discovered the attack. The incident is believed to have occurred in 2015 and 2016. Not only that, but it might also have something to do with the actor who perpetrated the 2014 Security Incident.
As explained in the filing (PDF):
“Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.”
This revelation comes at the same time that Marissa Mayer, CEO of Yahoo, announced on Tumblr that she would be forgoing her annual bonus and equity grant in 2017 because the 2014 Security Incident had occurred under her watch.