Yahoo Investigates Cookie Powered Password Bypass Hack

Yahoo is investigating a claim that a hacker created the means to access its users’ account data without needing their passwords.

In a filing to the US Securities and Exchange Commission Yahoo said that law enforcement agencies began sharing information they indicated was provided by the hacker who claimed it was account data from their users.

It is unclear whether this hacker and the data relates to the massive data leak Yahoo recently suffered or new leaked data.

Yahoo said its investigation has it looking into whether the hacker could have gained access to the data by creating website ‘cookies’ that allowed normal password protection to be bypassed, though a according to the Financial Times, a source familiar with the issue said Yahoo does not believe it is possible for hackers to forge valid Yahoo Mail cookies.

Yahoo hack saga

The past couple of months have been tough for Yahoo after the data of 500 million of its users was leaked following a data breach back in 2014.

The major data leak came at a time when the company is in the process of being acquired by Verizon, which has caused the US telecoms giant to voice concerns over material impact the breach may have on its $4.8 billion deal to purchase Yahoo.

The latest part of the data breach saga now has an independent committee of Yahoo’s board investigating how much knowledge the company’s staff had of the 2014 data breach.

Yahoo claimed it became aware of the breach in August 2016, around a month after it reached a purchase deal with Verizon. But the filing suggests some of its employees may have known about the data breach around two years earlier.

“The Company had identified that a state-sponsored actor had access to the Company’s network in late 2014,” the filing noted.

“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.”

If the company’s employees did know about the breach well ahead of the data leak, then it could have damming results for both the company’s reputation and its acquisition deal with Verizon.

Yahoo’s relationship with cyber security is already fairly strained, with researchers noting its certificate security is still poor despite the impact of the data breach, so any further revelations of potential negligence could leave the company in disgrace.

How well do you know network security? Try our quiz and find out!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

OpenAI In Talks With California Over For-Profit Shift

OpenAI reportedly begins early talks with California attorney general over complex transition from nonprofit to…

18 hours ago

EU To Assess Apple’s iPad Compliance Plans

European Commission says it will review Apple's iPad compliance with DMA rules as it seeks…

19 hours ago

James Dyson Says ‘Spiteful’ Budget Will Kill Start-Ups

James Dyson delivers most high-profile criticism so far of Labour's first Budget that raises £40bn…

19 hours ago

Nvidia, Meta Ask Supreme Court To Axe Investor Lawsuits

Nvidia, Meta bring cases before US Supreme Court this month seeking tighter limits on investors'…

20 hours ago

Nvidia To Replace Intel On Dow Jones Industrial Average

Nvidia to replace Intel this week on Dow Jones Industrial Average after years of turmoil…

20 hours ago

Toyota-Backed Joby Flies ‘Air Taxi’ In Japan

Joby Aviation and Toyota Motor complete demonstration flight in Shizuoka as companies prepare to bring…

21 hours ago