Yahoo has revealed that around 32 million user accounts were compromised by a hacker in the last two years using cookie forgery attacks.
Yahoo accounts were affected by two massive data breaches in last few months. In 2014, 500 Million users account of Yahoo were breached.
Recently, Yahoo revealed that hacker used cookie forgery attack to access 32 Millions Yahoo user accounts.
What Is Cookies Forgery Attack?
Cookie Forgery Attack is a technique in which attacker use the cookies (Digital Key) of the original user and use it to get access to the account without entering the password.
Instead of stealing passwords, attacker trick the web browsers into telling that the victim had already logged in by forging the web browser token called cookies.
“Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies,” Yahoo said in its latest annual filing.
In a statement, Yahoo told the hacker might have stolen names, email address, passwords, date of births, hashed passwords and security questions.
Yahoo warned its customers last month that the attacker had accessed their account by using cookie forging attack.
However, Good news is that the forged cookies have been invalidated by Yahoo, so an attacker can’t access users account now.
Last month, Verizon communications Inc, which is in the process of buying Yahoo’s core assets, lowered its offer by $350 Millions to $4.48 Billion in cash and is excepted to close in the second quarter.
“When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies,” Mayer wrote in a note published Monday on Tumblr.
Yahoo CEO Marissa Myer has taken a pay cut and also refused cash bonus of $2 Million and the stock award of $12 Million for 2017.
Yahoo’s credibility has smashed badly. Besides that Ronald Bell, Yahoo general counsel and secretary resigned as of Wednesday after the company revealed that users account were compromised by the ‘Company account’s management tools’ and the senior executive’s and legal staff were aware of the state-sponsored attack.