It has been a tough couple of quarters for Yahoo. Over the past few months, the company has confirmed massive cyberattacks that it faced in 2014 and 2013 which affected more than 500 million and 1 billion user accounts respectively. Yahoo has now confirmed another cyberattack. It was a cookie-forging attack which left more than 32 million accounts breached. There aren’t a lot of details available about this attack right now but it’s believed to have taken place between 2015 and 2016.
An investigation by the U.S. Securities and Exchange Commission is underway and Yahoo’s submission is that this attack could have been linked to the 2014 attack in some way. The attack that left 32 million accounts compromised was made possible by the use of a sophisticated attack vector that used forged cookies to access user accounts. Yahoo’s SEC filings reveal that it invalidated the forged cookies soon after they were discovered.
The SEC promised to look into the hackings after reports emerged suggesting that Yahoo had ample knowledge of the situation to disclose the massive cyberattack to investors in 2014. The agency also concluded that some top executives failed to “properly comprehend or investigate” the full extent of the breach, again reiterating the conclusion that the company’s legal team had enough information to open an inquiry into the matter.
Yahoo CEO Marissa Mayer wrote on her Tumblr blog today that she’s taking responsibility for the entire debacle. She also announced that she will forgo her annual bonus and equity grant and that it should rather be redistributed to Yahoo’s employees.