Yahoo says forged cookie attack accessed about 32M accounts

The company suspects the attack is connected to the same "state-sponsored actor" believed to be behind a massive 2014 breach.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Yahoo has revealed a string of hacks in the past year.

Justin Sullivan/Getty Images

Yahoo has revealed that 32 million is the number of user accounts accessed in the past two years by hackers who used forged cookies to log in without a password.

The company said in a regulatory filing Wednesday that the cookie caper is likely connected to the "same state-sponsored actor" thought to be behind a separate, 2014 breach that resulted in the theft of user information from 500 million user accounts.

"Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its annual filing to the Securities and Exchange Commission. The company went on to say the forged cookies have been invalidated to prevent further use on accounts.

Yahoo revealed the cookie caper in December, but the news was largely overlooked because the company announced at the same time that it had identified yet another security breach, which took place in 2013. In that breach, hackers stole information on 1 billion Yahoo accounts.

The scope of the cookie caper was revealed the same day Yahoo CEO Marissa Mayer said she would forgo her annual bonus and any 2017 equity in response to findings from an investigation by the company's board into the hacks. Ronald Bell, Yahoo's general counsel and secretary, also resigned as of Wednesday after the company revealed that senior executives and Yahoo's legal team didn't sufficiently pursue the security incidents.

Yahoo declined to comment on the matter beyond what it included in its filing.

CNET Magazine: Check out a sampling of the stories you'll find in CNET's newsstand edition.

Life, disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it? CNET investigates.