Yahoo notified users that hackers also forged cookies in addition to stealing passwords to access their accounts.
“Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account,” the company wrote in an email to Yahoo users. The attackers reportedly leveraged forged cookies to access Yahoo users’ accounts rather than relying on passwords.
The company disclosed the cookie attack in late 2016 as part of a wider disclosure concerning the 2013 breach in which hackers stole data from 1 billion Yahoo accounts. The cookie attack was largely overlooked due to the scale of the 2013 breach.
“We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016,” Yahoo told affected users.
Yahoo has made sure to invalidate the forged cookies, and the company has worked to improve cybersecurity standards across its systems.
Yahoo users are urged to remain vigilant in monitoring their accounts for suspicious activity, and refrain from opening attachments or clicking links in emails from unknown senders. Cybercriminals will likely increase targeted phishing scams aimed at Yahoo users to exploit previous breaches.
It remains unclear if this recent announcement will have any additional effects on the acquisition of Yahoo by Verizon. Verizon reportedly lowered its buying price of $4.8 billion by $250 million as a result of the previously disclosed Yahoo breaches.