Yahoo cookie-forging incident affected 32 million accounts

We finally know how many user accounts were affected by last year’s Yahoo cookie-forging incident: 32 million.

What happened?

“In November and December 2016, we disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password,” the company noted in a report submitted to the US Securities and Exchange Commission on Monday.

“Based on the investigation, we believe an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016. We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident.”

You may be forgiven for not giving a hoot for this revelation, as it comes after revelations of data breaches that affected approximately one billion and 500 million user accounts in 2013 and 2014, respectively.

I think nobody would be surprised if, at this point, Yahoo shared information about a few more breaches, as they have lost all credibility in regards of their capability to fend off attacks – or to respond to them appropriately.

“In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement,” the company also wrote in the filing.

But, “while significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.”

“Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident,” they noted.

Who, apart from users, has or will be affected by these breaches?

“In response to the Independent Committee’s findings related to the 2014 Security Incident, the Board determined not to award to the Chief Executive Officer a cash bonus for 2016 that was otherwise expected to be paid to her. In addition, in discussions with the Board, the Chief Executive Officer offered to forgo any 2017 annual equity award given that the 2014 Security Incident occurred during her tenure and the Board accepted her offer,” the company shared.

The news was confirmed by Yahoo CEO Marissa Mayer in a post published on Wednesday, in which she says that she has expressed her desire that her bonus be redistributed to the company’s hardworking employees.

Whether it will be remains to be seen, but I wouldn’t hold my breath if I were a Yahoo employee, as the hacks resulted in Verizon knocking off $350 million from the initial acquisition price it offered for Yahoo’s properties.

The report also showed that Yahoo doesn’t believe that they will suffer losses from the 43 consumer class action lawsuits have been filed against the company relating to the all the aforementioned security incidents.

In any case, the company’s General Counsel Ronald Bell won’t be there to fight them in court, as he resigned from all positions in the company on Wednesday.