As posted on Yahoo hackers accessed 32 million accounts with forged cookies
In a regulatory filing, Yahoo revealed some additional details about data breaches that have affected over a billion accounts. Among that information is the news that hackers who obtained Yahoo’s code and were able to create their own cookies were able to access 32 million accounts through 2015 and 2016. Additionally, the 10-K statement provided to the SEC says that Yahoo notified 26 individuals and consulted with law enforcement after it became aware that state-sponsored hackers had exploited its account management tool for access.
Yahoo publicly revealed the extent of these breaches in December, but admits in the report that in 2014 "it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team."
As a result of the investigation, its board has decided that CEO Marissa Mayer will not receive a cash bonus she was to receive for 2016, while general counsel Ronald S. Bell resigned. As a result of the revelations that account information had been stolen, which Mayer says she became aware of in September of last year, Verizon cut $350 million from its offer to acquire Yahoo.
Description of Events
On September 22, 2016, we disclosed that a copy of certain user account information for approximately 500 million user accounts was stolen from Yahoo’s network in late 2014 (the "2014 Security Incident"). The Company believes the user account information was stolen by a state-sponsored actor. The user account information taken included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with the "bcrypt" hashing algorithm) and, in some cases, encrypted or unencrypted security questions and answers. Our forensic investigation indicates that the stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation found to be affected. We have no evidence that the state-sponsored actor is currently in or accessing the Company’s network.
On December 14, 2016, we disclosed that, based on our outside forensic expert’s analysis of data files provided to the Company in November 2016 by law enforcement, we believe an unauthorized third party stole data associated with more than one billion user accounts in August 2013 (the "2013 Security Incident"). We have not been able to identify the intrusion associated with this theft, and we believe this incident is likely distinct from the 2014 Security Incident. For potentially affected accounts, the user account information stolen included names, email addresses, telephone numbers, dates of birth, hashed passwords (using the MD5 algorithm) and, in some cases, encrypted or unencrypted security questions and answers. The stolen information did not include passwords in clear text, payment card data, or bank account information.
In November and December 2016, we disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the investigation, we believe an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 (the "Cookie Forging Activity"). We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts.
The 2013 Security Incident, the 2014 Security Incident, and the Cookie Forging Activity are collectively referred to herein as the "Security Incidents." With respect to each of the Security Incidents, the impacted users and appropriate regulatory and law enforcement agencies have been notified.
The Company, with the assistance of outside forensic experts, has concluded its investigation of the Security Incidents. The Company continues to work with U.S. law enforcement authorities on these matters.
Independent Committee Investigation
As previously disclosed, an independent committee (the "Independent Committee") of the Board of Directors (the "Board") has investigated the Security Incidents and related matters, including the scope of knowledge within the Company in 2014 of access to Yahoo’s network by the state-sponsored actor responsible for the theft and related incidents, the Company’s internal and external reporting processes and remediation efforts related to the 2014 Security Incident and related incidents. The Independent Committee has concluded its investigation, although it will continue to review developments regarding the Security Incidents and report to the Board on these issues, and cooperate with various government entities. The Independent Committee was assisted by independent counsel, Sidley Austin LLP, and a forensic expert. The Board has separately been advised by other outside counsel regarding the Security Incidents and recommendations regarding remedial actions.
Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.
Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident. The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters.
Source: Yahoo 10-K