Yahoo‘s newly issued warning to users about malicious hacks is related to a third data breach that the company disclosed in December 2016.A warning sent to some Yahoo users Wednesday read: “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”
This breach was quietly revealed in a December 2016 statement from Yahoo that provided information on a separate hack that occurred in August 2013 involving more than 1 billion accounts. Some of 2015 and 2016 incidents have been tied to a “state-sponsored actor” that was involved in another 2014 breach that affected up to 500 million accounts.
“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson said in an emailed statement. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders.”
A source familiar with the matter said the investigations for these breaches are nearing an end.
The earlier, catastrophic breaches that impacted over 1.5 billion accounts raised questions about Yahoo’s security, and called into question the company’s deal to sell itself to Verizon Communications.
Both SunTrust and CFRA retained their hold opinion on Yahoo shares, mostly tied to the fact that Verizon will likely still purchase the internet company and has renegotiated the purchase price. Bloomberg reported that the telecommunications company was able to reduce the initial $4.8 billion price by $250 million due to the data breaches.
— This story was reported by AP and CNBC’s Michelle Castillo
For more information, click here
Training solutions include the gold standard HIPAA credential, Certified HIPAA Professional (CHP) and our world’s first compliance and cyber security credential, Certified Security Compliance Specialist (CSCS).
ecfirst is a HITRUST Authorized CSF Assessor.
Many clients engage ecfirst extensively for the flexible services that range from on-demand consulting to its managed compliance services programs that covers training, policies, remediation, risk assessment, technical vulnerability assessments penetration testing and much more.