March 2, 2017
An unauthorized third party accessed the company’s proprietary code and learned how to forge cookies. Yahoo believes this is the same actor that caused the 2014 data breach.
“The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016,” Yahoo discloses in its annual report filed with the SEC.
Although the incident was well-known and the company even admitted that high-level execs were aware of what had happened in previous years, the problem was only mentioned last autumn in a SEC filing. However, customers were only warned a few weeks back that their accounts might have been accessed by using this sophisticated cookie forging attack.
2016 – the year Yahoo crashed
Yahoo disclosed a massive data breach in September 2016. They said the 500 million accounts were affected by an unknown actor sometime in 2014. According to the latest filing, Yahoo knew about the incident from that very same year but failed to inform users or make proper security updates.
In December 2016, Yahoo one-upped itself by revealing a 2013 data breach which affected 1 billion accounts.
Email addresses, names, hashed passwords, security questions, phone numbers and more were exposed in both data breaches.
To date, Yahoo says 43 putative consumer class action lawsuits have been filed against the company in the United States, as well as in foreign courts relating to the security incidents. This isn’t surprising considering how many people were affected by these data breaches. The fact that Yahoo knew about at least one of them will surely weight in favor of those suing Yahoo, as it should.