It just keeps getting worse for Yahoo – adding to the 500 million accounts compromised in a 2014 breach and the huge one billion accounts hit in a 2013 hack, it has been disclosed that 32 million accounts have been compromised in a cookie forging attack.
Hitting the headlines in February, the cookie forging attack was thought by Yahoo to have been used to target accounts between 2015 or 2016.
If news of a third batch of compromised accounts wasn’t enough, the historic data breaches also show no signs of going away quietly.
It turns out that the company was in fact aware of the colossal scale of the 2014 attacks, causing the company’s top lawyer on the case to resign. The resignation of their top lawyer Ronald Bell followed a Yahoo regulatory filing that revealed the legal team active during the breaches in 2014 did not take the correct action of pursuing further inquiry.
The Form 10-K filing included a summary of an investigation of the 2014 hacking incident that was conducted by an Independent Committee. According to The Register, the investigators ‘“… concluded that the company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016”’.
The Yahoo saga shows no signs of slowing, with CEO Marissa Mayer sharing a sizeable chunk of the blame. The company said that Mayer will not be receiving her bonus, and in addition to this she has personally proposed that she should not receive an annual equity award for 2017.
This follows Verizon having cut down their original offer to buy the company’s internet assets by $350 million. The final price tag has now been confirmed by Verizon as $4.48bn, with the two companies splitting the costs of the subsequent lawsuits. The agreed price is miniscule in the shadow of the $44bn offered by Microsoft in 2008.