Credit: http://www.bankinfosecurity.com/yahoo-ceo-loses-bonus-over-security-lapses-a-9748
Yahoo has confirmed that 32 million accounts were hacked in a cookie-related attack. The attack, which dates back to 2015 and 2016, generated tension among Yahoo email account owners; causing many to change their passwords a couple of times.
In an email sent in February to ZDNET by Yahoo, the company explained that state-sponsored attackers gained access to users’ accounts, using what it regarded as sophisticated cookie forging attack. This so-called sophisticated attack, according to Yahoo, doesn’t require obtaining user passwords.
That was the most recent of attacks carried out against Yahoo; but users were not provided with further information on the exact number of accounts affected. At least we now know that 32 million accounts were affected in the attack according to Yahoo:
“In November and December 2016, we disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the investigation, we believe an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 (the “Cookie Forging Activity”). We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts”
In 2016, Yahoo confirmed in two separate statements that hackers had breached users’ accounts, but assured that investigation was ongoing at the time. The two attacks caused some ripples, and almost led to the collapse of the proposed agreements between Verizon and Yahoo. Recall that Verizon was at the time finalizing the process of acquiring Yahoo.
Marissa Maye takes full responsibility…
Following this development, Yahoo CEO Marissa Maye announced in a Tumblr post that she was taking full responsibility for the situation. She further said in the same post that she has agreed to forgo her annual bonus and equity grant:
“As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement as well as to the 26 users that we understood were impacted. When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies. However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.”
Hopefully all issues relating to the hack has been put to rest, and everyone can now move on to other things.
