The hits just keep on coming.
Yahoo today revealed a third major hack, wherein some 32 million accounts have been accessed by intruders over the past two years. These accounts are in addition to the accounts affected by the two data breaches the company had previously disclosed.
The accounts were apparently compromised via forged cookie files. Yahoo has stated that the accounts were accessed by the “same state-sponsored actor beloved to be responsible for the 2014 hack.” The 2014 hack was the one that affected at least 500 million accounts.
“Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies,” Yahoo said in its latest annual filing.
To remedy the issue, Yahoo says that it has invalidated those cookies so that they cannot be used to access user accounts any longer.
Finally, Yahoo also announced today that it would not be awarding CEO Marissa Mayer a cash bonus for 2016 following an independent committee’s research into the 2014 security breaches. Mayer has also offered to waive any 2017 annual equity award given the breaches.
All three data breaches have come as Yahoo is in the midst of being acquired by Verizon. In response to the security concerns, Verizon revealed last month that it was cutting $350 million from its acquisition price of the company, bringing the price down to $4.48 billion.
The acquisition is expected to close during the second quarter of this year. Verizon has stated that the data breaches could delay “some integration of Yahoo with Verizon after the closing.”
So, make sure you’re up to date on your security patches and if you have a Yahoo email account, it can’t hurt to change your password in the near future.
Stay tuned for additional details as they become available.