Yahoo has disclosed that 32 million user accounts have been accessed over the past two years by state-sponsored hackers using forged cookies. In a recent SEC filing the firm divulged that it uncovered new evidence of accounts having been accessed by hackers when external forensic investigators were looking into previously disclosed data breaches. Meanwhile Yahoo CEO Marissa Mayer has asked that her bonus worth $2m be cut over the data breaches.
In a blog post on Tumblr, Mayer wrote that she has "agreed to forgo my annual bonus and my annual equity grant", adding that she wanted Yahoo's board to distribute her bonus to the firm's 8,500 strong workforce. However, news of the 32 million compromised accounts indicates that Yahoo is likely still grappling with the magnitude of the cyberattacks.
In its SEC filing, which Yahoo submitted on Monday (27 March), the tech giant said, "We believe an unauthorized third party accessed the Company's proprietary code to learn how to forge certain cookies. We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident."
The firm also claimed that the cookies have since been invalidated and cannot be used any longer to access user accounts. The filing also revealed that in 2014 Yahoo's "senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company's account management tool".
In addition to these revelations, Mayer also disclosed that the 2014 state-sponsored hack saw 26 specific Yahoo users targeted. Meanwhile, Yahoo general counsel Ronald Bell reportedly resigned without severance pay over his department's seemingly lackadaisical response to the security lapses, the Guardian reported.
Yahoo's independent forensic expert detailed that while Yahoo took additional security measures, "certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team".
Yahoo's information security team realised that the hacker had stolen user database backup files, which contained Yahoo users' personal data. However, it remains unclear as to whether this knowledge was communicated outside the information security team. According to the Independent Committee that was brought in to investigate the matter, there was no indication of "intentional suppression of relevant information".