Yahoo: 32m accounts hacked in last two years

BANGALORE • Yahoo, which disclosed two massive data breaches last year, has said that about 32 million user accounts were accessed by intruders in the last two years using forged cookies.

The company said some of the latest intrusions can be connected to the "same state-sponsored actor believed to be responsible for the 2014 breach", in which at least 500 million accounts were affected.

"Based on the investigation, we believe an unauthorised third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its latest annual filing.

These cookies have been invalidated so they cannot be used to access user accounts, the company added.

Forged cookies allow an intruder to access a user's account without a password.

Yahoo also said in December that data from more than a billion user accounts was compromised in August 2013, making it the largest breach in history.

The hacks have been a major embarrassment for the former Internet leader, which has failed to keep up with Google, Facebook and other rising tech stars.

The company said on Wednesday it would not award chief executive Marissa Mayer a cash bonus for last year, following the independent committee's findings related to the 2014 security incident. She has also offered to forgo any annual equity award this year as the breaches occurred during her tenure, Yahoo added.

The investigation findings also resulted in Yahoo general counsel Ronald Bell's resignation on Wednesday with no severance payments, according to a filing to the Securities and Exchange Commission.

Last month, Verizon Communications, which is in the process of buying Yahoo's core assets, lowered its original offer by US$350 million (S$494 million) to US$4.48 billion.


A version of this article appeared in the print edition of The Straits Times on March 03, 2017, with the headline 'Yahoo: 32m accounts hacked in last two years'. Print Edition | Subscribe