A few weeks ago, a new Yahoo data breach came to light, the third such disclosure in a matter of months. Yahoo contested that the news was not new, as it disclosed the breach last October. However, Yahoo only quietly mentioned the breach, in a SEC filing that not many people read. What’s important about the breach is that it’s not your average security breach where hackers access servers and then run off with your data. This time around, hackers were able to penetrate accounts without even needing the user’s password.
Yahoo may have disclosed the cyber attack last year, but only on Wednesday, it revealed how many accounts may have been affected. That would be 32 million if you were wondering. Sure, it seems like a drop in the bucket, compared to the two previous hacks that affected more than a billion Yahoo accounts. But it’s still a major attack.
The new disclosures were made in Yahoo’s latest SEC 10-K filing, Reuters reports.
“In November and December 2016, we disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password,” Yahoo explained.
“Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016.”
“We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts,” Yahoo added.
The 2014 security incident concerns a data breach that was disclosed in September, and that affected more than 500 million user accounts starting with late 2014.
That’s not to be confused with the 2013 security incident, disclosed in December, which affected more than a billion accounts.
Yahoo also disclosed that, so far, 43 consumer class action suits were filed following these security incidents.
As a direct result, Yahoo would not award Marissa Mayer a cash bonus for 2016, and the CEO also offered to forgo any 2017 annual equity award.
The security breaches also had a direct impact on the Verizon deal. The purchase will go through, but Verizon lowered its offer by $350 million, down to $4.48 billion.
If you’re one of the affected users of Yahoo’s latest hacks, you’ll probably receive notifications about the matter, if you haven’t gotten them already. Changing the password of your Yahoo account isn’t necessary, given that hackers may have used forged cookies to get into it, but you might still consider doing it. What you should do is to actually change passwords to all the other online accounts that you might hold, which may be connected to the Yahoo account that was breached, just on the off chance that hackers may have been digging into your Yahoo mail account for other data.