Yahoo issues new warning of potential email account breach

The malicious activity that was the subject of the user warnings revolved around the use of "forged cookies" - strings of data which are used across the web and can sometimes allow people to access online accounts without re-entering their passwords. It's the same group of hackers Yahoo thinks stole user information on 500 million user accounts in 2014. A source familiar with the situation said that investigations into the security incidents were in their final stages and the list of users to be notified was being finalized as well. The company made the announcement at the same time they revealed a separate security breach that took place in 2013, in which hackers stole information on 1 billion Yahoo accounts.

Yahoo is warning some customers that state-sponsored attackers have accessed their accounts by using a sophisticated cookie forging attack, which doesn't require obtaining user passwords.

Yahoo has confirmed users are being notified their accounts had been "potentially compromised", but refused to say home many people were affected.

Yahoo has begun warning individual users that their accounts with the service may have been compromised in a massive data breach it reported late previous year.

"As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password", the company said in a statement.

Yahoo began notifying the affected users in December, but as the Verizon deal closes, the notification process is wrapping up.

Some reports on Wednesday said the two companies had agreed to discount the price by US$250 million to US$300 million following disclosure of the attacks. Jerry Moran reprimanded Yahoo CEO Marissa Mayer in a February 10 letter for not being more forthcoming about the security problems.

"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account", the company wrote in an email to users today.

Yahoo has not identified the state-sponsored actor.

  • Zachary Reyes