Yahoo has issued a new warning to some users on Wednesday (February 15) about potentially malicious activity on their accounts between 2015 and 2016 where hackers used forged cookies to access users' accounts without a password. The latest notifications were issued in response to a data breach disclosed in December 2016 that occurred in August 2013 which compromised over one billion accounts — the largest known data hack in history.
In September, the company disclosed a separate breach that occurred in late 2014 that affected at least 500 million user accounts, blaming "state-sponsored actors" for the attack. The company said some of the 2015 and 2016 incidents have been tied to the same state-sponsored actor, but did not name the state.
"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account," the email from Yahoo reads. "We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016."
According to a security update issued by Yahoo in December 2016,the stolen data may have included users' names, email addresses, phone numbers, dates of birth, MD5-hashed passwords as well as encrypted or unencrypted security questions, in some cases.
"As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password," a Yahoo spokesperson said in a statement to multiple media outlets.
"The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again."
The hackers used "forged cookies" or strings of data used across the Internet that enable people to access their online accounts with re-entering their passwords. Yahoo did not specify how many user accounts were affected by this malicious activity.
News of the latest security notifications comes amid reports suggesting that Verizon is close to a revised deal to acquire Yahoo's core internet business for $250m to $350m less than the initially agreed price of $4.83bn (£3.9bn).
In October, telecom giant Verizon said that the disclosed 2014 data breach did have "material" impact and could affect the proposed deal to acquire Yahoo.
"Maybe this isn't quite as much of a discount as initially thought, but it's at least something," Dave Heger, senior equity analyst at Edward Jones told Reuters.
In January, the Wall Street Journal reported that the US Securities and Exchange Commission has launched an investigation into whether the company should have disclosed the massive 2013 and 2014 breaches sooner to investors.