Yahoo, which disclosed two massive data breaches last year, has revealed about 32 million user accounts were accessed by intruders in the last two years using forged cookies.
The company said some of the latest intrusions can be connected to the ‘same state-sponsored actor believed to be responsible for the 2014 breach’, in which at least 500 million accounts were affected.
‘Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies,’ Yahoo said in its latest annual filing.
These cookies have been invalidated so they cannot be used to access user accounts, the company said.
The new malicious activity reported by Yahoo revolved around the use of ‘forged cookies’ – strings of data which are used across the web and can sometimes allow people to access online accounts without re-entering their passwords.
Yahoo first warned customers of the potentially malicious activity on their accounts in February as part of the latest development in the internet company’s investigation of a mega-breach that exposed 1 billion users’ data several years ago.
Yahoo was notifying users that their accounts had potentially been compromised but declined to say how many people were affected until now.
Messages sent said, ‘based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.’
Other Yahoo users also posted messages to Twitter to report receiving similar messages.
Source: Daily Mail