Yahoo Investigates Cookie Powered Password Bypass Hack

Yahoo is investigating a claim that a hacker created the means to access its users’ account data without needing their passwords.

In a filing to the US Securities and Exchange Commission Yahoo said that law enforcement agencies began sharing information they indicated was provided by the hacker who claimed it was account data from their users.

It is unclear whether this hacker and the data relates to the massive data leak Yahoo recently suffered or new leaked data.

Yahoo said its investigation has it looking into whether the hacker could have gained access to the data by creating website ‘cookies’ that allowed normal password protection to be bypassed, though a according to the Financial Times, a source familiar with the issue said Yahoo does not believe it is possible for hackers to forge valid Yahoo Mail cookies.

Yahoo hack saga

The past couple of months have been tough for Yahoo after the data of 500 million of its users was leaked following a data breach back in 2014.

The major data leak came at a time when the company is in the process of being acquired by Verizon, which has caused the US telecoms giant to voice concerns over material impact the breach may have on its $4.8 billion deal to purchase Yahoo.

The latest part of the data breach saga now has an independent committee of Yahoo’s board investigating how much knowledge the company’s staff had of the 2014 data breach.

Yahoo claimed it became aware of the breach in August 2016, around a month after it reached a purchase deal with Verizon. But the filing suggests some of its employees may have known about the data breach around two years earlier.

“The Company had identified that a state-sponsored actor had access to the Company’s network in late 2014,” the filing noted.

“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.”

If the company’s employees did know about the breach well ahead of the data leak, then it could have damming results for both the company’s reputation and its acquisition deal with Verizon.

Yahoo’s relationship with cyber security is already fairly strained, with researchers noting its certificate security is still poor despite the impact of the data breach, so any further revelations of potential negligence could leave the company in disgrace.

How well do you know network security? Try our quiz and find out!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

20 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

21 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

21 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

23 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

1 day ago