Yahoo reveals more details on hack that affected 500M accounts

The California-based communications company filed a report with the US Securities and Exchange Commission, telling regulators that a “state-sponsored actor” may have “created cookies” for continued access to the hacked accounts.

Photo by: Reuters
Photo by: Reuters

A tattered Yahoo flag flies in New York City. Yahoo is facing 23 lawsuits from users who say they were harmed by a breach that happened in late 2014.

Beleaguered communications giant Yahoo said on Wednesday that the major hack its services suffered may have included software “cookies” planted by hackers in order to have continuous access to its users’ accounts.

In September, the company said that hackers might have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords of around 500 million its account holders in 2014.

The revelation came after Yahoo CEO Marissa Meyer had announced in July that the firm had reached an agreement with Verizon to acquire Yahoo’s operating business. The $4.8 billion acquisition may be endangered by Yahoo’s new revelations.

"Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such an intruder to bypass the need for a password to access certain users' accounts or account information," the company said in a November 9, 2016 filing to the US Securities and Exchange Commission.

“Our security measures may be breached as they were in the security incident and user data accessed, which may cause users and customers to curtail or stop using our products and services, and may cause us to incur significant legal and financial exposure,” it noted.

While the breach took place in late 2014, Yahoo didn’t publicise the hack until September 2016. The filing also reveals that investigators are trying to determine the extent of Yahoo’s knowledge of the breach at the time it happened.

Yahoo faces 23 lawsuits filed on behalf of Yahoo users who claim they were harmed by the hack.

In July, Yahoo announced Verizon would acquire the company for $4.8bn. It is unclear whether the deal will still go through. (Reuters)

Verizon says it will proceed with caution but that the acquisition deal may still go forward.

At the Wall Street Journal's WSJSLive technology conference that took place in October, Verizon Executive Vice President Marni Walden said, "What we have to be careful about is what we don't know."

She added, “We are not going to jump off a cliff blindly, but strategically the deal still does make sense to us.”

TRTWorld and agencies