Yahoo! has revealed yet another breach in a notification sent to users Wednesday. The company has been trying to mend the reputation and security damage caused by the 2013 breach, the largest to date, which exposed private information of 1 billion users online.
Although the cookie attack occurred in December, the media overlooked it because it was announced at the same time as the massive 2013 to 2014 data breach. Back then, the company announced the cookie incident was connected “to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
“Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account,” reads the notification users received.
An ongoing investigation has so far revealed that hackers infiltrated the company’s proprietary code and forged cookies. The forgeries told web browsers that users had already logged into the Yahoo! accounts. Hackers had easy and instant access to users’ emails, no passwords necessary.
“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson said. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders.”
Yahoo! has not made further comments concerning the number of affected users.