Yahoo has clarified that the two massive data breaches that took place last year happened using forged cookies, reports Reuters. According to the company, some of the latest intrusions were likely caused by the “same state-sponsored actor believed to be responsible for the 2014 breach”, leading to a compromise of 500 million accounts.
Additionally, the company mentions that “based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies.” The revelation comes nearly 3 months after Yahoo reported a second breach, which likely took place in August 2013, predating the previous disclosed breach that apparently happened in 2014.
The second reported breach had compromised the data of over 1 billion user accounts, twice the number of the 2014 breach which stood at 500 million. According to Yahoo, law enforcement provided it with hacked data files that were claimed to be Yahoo user data in November, which it has now confirmed. It mentioned that hackers created forged cookies, using Yahoo’s proprietary code, that would allow them access to accounts without a password.
Verizon deal in trouble?
Interestingly, the revelation by Yahoo comes around the time it’s still working out its $4.8 billion acquisition by Verizon. Verizon has previously said that it had a ‘reasonable basis’ to believe the hacks represented a material impact that could allow it to withdraw from the $4.8 billion deal. The company was apparently looking to get a $1 billion discount on the Yahoo deal, although this was not confirmed by either party. However, just last month, Verizon did cut the deal price by $350 million, and it’s not clear if it will look to further devalue the price before the final purchase.