Yahoo has begun warning some customers that their accounts were breached by state-sponsored hackers using cookie forging attacks that did not require passwords, ZDNet reported on Wednesday. This is the latest development in the company’s response to the massive security failure reported in September 2016, in which over a billion accounts were compromised.
The company said it was sending notifications to users via email. “The investigation has identified user accounts for which we believe forged cookies were taken or used,” it said in a statement. Cookie forging attacks involve manipulating the data that websites store on a user’s device while they browse the internet. It was reported that the hackers behind the security breach had stolen the source code Yahoo used to generate cookies.
The information stolen may have included names, email addresses, phone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers in some cases, Yahoo had said. However, the investigation confirmed that no details of payment card data or banking-related information were stolen as that data was not stored on the same system, according to the company.
The breach has affected Yahoo’s deal with Verizon, which has lowered its price for the company by $250 million (approximately Rs 16,741.25 crore).