Yahoo has begun notifying affected customers who may have had their accounts breached by state snoopers via forged cookies, as reports suggest it may be prepared to cut $250m off its agreed sale price with Verizon.
The internet pioneer admitted in September last year that suspected state-sponsored operatives had managed to obtain the details of 500 million accounts in a 2014 breach. This was followed by a much bigger separate disclosure in December of one billion accounts.
During the second announcement, Yahoo said third party forensic experts were investigating “the creation of forged cookies that could allow an intruder to access users' accounts without a password.”
“Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
It appears those customers are now finally being notified individually of attempts to break into their account in the 2015-16 period.
Jason Hart, CTO of data protection at Gemalto, argued that although Yahoo urged its users to switch on two-factor authentication to secure accounts following the breaches, this wasn’t enough.
“Tools like this only work if the user remembers to activate them,” he argued. “Given the current security climate, all companies should have multi-factor authentication activated by default for all online accounts. Now, it only remains to see how much more of a discount Verizon may ask for.”
The breaches have cast doubt on the $4.8 billion sale of the company to Verizon. However, new reports suggest the two parties are set to agree a renegotiated deal featuring a $250m reduction in the original price.
It is claimed that Verizon and what’s left of Yahoo – set to be renamed Altaba – will share legal responsibility for the breach following the deal.
This could be significant if more users decide to launch class action lawsuits against the firm for negligence.