In an SEC filing, Yahoo has confirmed that a cookie-forging attack led to a data breach involving more than 32 million accounts in 2015 and 2016. The actual filing said, “Based on the investigation, we believe an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 (the “Cookie Forging Activity”). We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts.”
In response to the attack, CEO Marissa Mayer announced that she was taking full responsibility for the attack and that instead of receiving her annual bonus and equity grant, she would have it distributed among Yahoo’s employees.