Yahoo has become synonymous with data breaches in recent times, becoming an unwanted record holder last year after admitting to the biggest data breach in history which saw a billion user accounts hacked.
Among those affected were more than 3,000 Australian Government officials, in a breach that was discovered when Yahoo was investigating a different breach from 2014 which saw the data of 500 million accounts compromised.
Now, in addition to those breaches, Yahoo has said that hackers have accessed around 32 million user accounts using forged cookies over the last two years.
In a regulatory filing, Yahoo said that it is “routinely targeted by outside third parties, including technically sophisticated and well-resourced state-sponsored actors, attempting to access or steal our user and customer data or otherwise compromise user accounts”.
“We believe such a state-sponsored actor was responsible for the theft involved in the 2014 Security Incident and for at least some of the Cookie Forging Activity,” the company said.
Yahoo believes hackers managed to access its proprietary code and learnt how to forge certain cookies, which in turn allowed them to access user accounts without a password.
The compromised cookies have now been invalidated so they can no longer be used to access people’s accounts.
The filing also outlines the potential future impact of these security breaches, saying they “have caused and may in the future cause, the market perception of the effectiveness of our security measures to be harmed and could cause us to lose users and customers, or detrimentally affect our relationships with distribution partners, service providers, vendors and app developers”.
On the financial side, the breaches revealed last year have so far cost the company $16 million (£13m), of which “$5 million was associated with the ongoing forensic investigation and remediation activities and $11 million was associated with nonrecurring legal costs”.
Furthermore, CEO Marissa Mayer will not be awarded a cash bonus for 2016 as a result of her handling of the security incidents and Yahoo’s General Counsel and Secretary Ronald Bell resigned from his role and from all other positions within the company.
The breaches have also affected Yahoo’s potential takeover by US mobile operator Verizon. Verizon announced the $4.83 billion (£3.86bn) acquisition of Yahoo’s core internet business in July 2016 after a somewhat protracted affair marred by investor pressure and poor financial results.
However, Verizon has since shaved $350 million (£280m) off the price it is willing to pay for the former internet giant following the security failings and even threatened to pull out of the deal altogether.
This hasn’t yet happened and Yahoo recently revealed the changes that will take place if and when the deal is finalised. Once the sale of Yahoo’s core Internet business is completed, the remaining entity will be transformed into an investment company under the name Altaba Inc, with no official products or staff.
It will be controlled by a reduced board, after Marissa Mayer and several other directors committed to resigning upon the deal’s completion.