On the same day as a report that says Verizon is renegotiating its offer to buy Yahoo at a $250 million discount, the internet company — for the third time in less than six months — is warning users that there’s potential their email accounts may have been hacked.
Yahoo confirmed today that it was notifying users that their accounts may have been accessed illicitly between 2015 and 2016 but declined to say how many people were affected. However, sources familiar with the matter tell Consumerist that notifications have gone out to a reasonably final list of users and the security investigations are in their final stages.
“Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account,” the company wrote in an email to users today.
Yahoo first mentioned those “forged cookies” by Yahoo in December, when it announced the hack of one billion accounts: The company believes some some bad actors got access to proprietary code in order to forge cookies that let them log into users’ accounts without even having a password, stolen or otherwise.
The forged cookie incident, the company said in December, is probably related to the breach of 500 million accounts it reported in September. As for whether this is a separate event, Yahoo said that is has connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft disclosed in September, and that both of these events are related to the theft of user data in 2014. It’s unclear whether the same accounts were affected in both cases.
“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson said in a statement. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”
And as always, change basically any password anywhere that you might have held in common with your Yahoo one, and be careful with any unsolicited messages you may receive.