Yahoo Investigates Cookie Powered Password Bypass Hack

Yahoo is investigating a claim that a hacker created the means to access its users’ account data without needing their passwords.

In a filing to the US Securities and Exchange Commission Yahoo said that law enforcement agencies began sharing information they indicated was provided by the hacker who claimed it was account data from their users.

It is unclear whether this hacker and the data relates to the massive data leak Yahoo recently suffered or new leaked data.

Yahoo said its investigation has it looking into whether the hacker could have gained access to the data by creating website ‘cookies’ that allowed normal password protection to be bypassed, though a according to the Financial Times, a source familiar with the issue said Yahoo does not believe it is possible for hackers to forge valid Yahoo Mail cookies.

Yahoo hack saga

The past couple of months have been tough for Yahoo after the data of 500 million of its users was leaked following a data breach back in 2014.

The major data leak came at a time when the company is in the process of being acquired by Verizon, which has caused the US telecoms giant to voice concerns over material impact the breach may have on its $4.8 billion deal to purchase Yahoo.

The latest part of the data breach saga now has an independent committee of Yahoo’s board investigating how much knowledge the company’s staff had of the 2014 data breach.

Yahoo claimed it became aware of the breach in August 2016, around a month after it reached a purchase deal with Verizon. But the filing suggests some of its employees may have known about the data breach around two years earlier.

“The Company had identified that a state-sponsored actor had access to the Company’s network in late 2014,” the filing noted.

“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.”

If the company’s employees did know about the breach well ahead of the data leak, then it could have damming results for both the company’s reputation and its acquisition deal with Verizon.

Yahoo’s relationship with cyber security is already fairly strained, with researchers noting its certificate security is still poor despite the impact of the data breach, so any further revelations of potential negligence could leave the company in disgrace.