Hackers are certainly rubbing salt into the wounds of Yahoo, with the tech giant warning customers that a sophisticated cookie forging attack could have given state-sponsored hackers access to their accounts.
Just two months after disclosing a mega data breach had compromised the accounts of one billion users, Yahoo has not yet confirmed how many user accounts may be affected by this latest security issue. A notification email sent by Yahoo to users said:
“Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”
A yahoo spokesperson said: “The investigation has identified user accounts for which we believe forged cookies were taken or used.
“Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”
According to reports in the Guardian, Yahoo first reported the cookie forging in November 2016, further outlining the issue in a security update in December 2016. However, users have only been notified this week.
In what is the latest in a long line of cyber security problems for Yahoo, it remains to be seen if this latest security issue will impact the huge amount of users seen in previous breaches.
2016 saw the tech giant disclose two major breaches, with a 2014 breach compromising 500 million accounts, and a 2013 hack hitting one billion user accounts. Although bank and payment information was not stolen, names, phone numbers, passwords and email addresses were all taken in the attacks.
The cyber security nightmare which Yahoo finds itself in could not have come at a worse time, with the tech company in the midst of an acquisition deal with Verizon. The initial deal on the table had a price tag of $4.8 billion, with Verizon looking to acquire Yahoo’s internet properties.
However, after the disclosure of the first data breach, Verizon’s general counsel Craig Silliman said that it was “reasonable” for Verizon to believe that the impact of the breach was “material”. This refers to specific legal language in the deal that says Verizon can withdraw if an event occurs which “reasonably can be expected to have a material adverse effect on the business, assets, properties, results of operation or financial condition of the business.”
Further reports suggested that Verizon was looking for a $1 billion price reduction in the acquisition deal, with the New York Post reporting that this move was being met with fierce resistance from Yahoo.
Latest reports suggest that Verizon has secured a discount on the acquisition deal, slashing the asking price by $250 million.