Yahoo notifying users of malicious account activity as Verizon deal progresses

Yahoo is continuing to issue warnings to users about several security incidents as it moves toward an acquisition by Verizon. Users are receiving notifications today about unauthorized access to their accounts in 2015 and 2016, which occurred due to previously disclosed cookie forging.

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used.  Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again,” a Yahoo spokesperson told TechCrunch.

The cookie forging is a separate issue from the mega-breaches Yahoo suffered in 2013 and 2014, in which information from over a billion user accounts was stolen. Yahoo chief information security officer Bob Lord announced in December that proprietary code had been used by a state-sponsored actor to forge cookies — enabling the attacker to access users’ accounts without a password. The warning issued to users says that some of the cookie forging activity is connected to the same attacker Yahoo believes is responsible for the 2014 breach of 500 million accounts. Yahoo disclosed that breach to users in September.

Yahoo began notifying the users affected by cookie forging in December, but as the Verizon deal closes, the notification process is wrapping up. A source familiar with the situation said that investigations into the security incidents were in their final stages and the list of users to be notified was being finalized as well.

Verizon reportedly secured a $250 million discount on Yahoo, driven by the disclosures of security breaches. (Disclosure: Verizon owns AOL, which owns TechCrunch.)

The security warnings to users are being issued as Yahoo faces questions from Congress about what data was lost in the breaches and how the company notified its customers. Sen. John Thune and Sen. Jerry Moran reprimanded Yahoo CEO Marissa Mayer in a Feb. 10 letter for not being more forthcoming about the security problems. Yahoo was slated to brief congressional staffers about the breaches on Jan. 31, the letter says, but Yahoo abruptly cancelled the meeting on Jan. 28.

“Yahoo!’s recent, last-minute cancellation of a planned congressional staff briefing, originally scheduled for January 31, 2017, has prompted concerns about the company’s willingness to deal with Congress with complete candor,” the letter states.

The senators have presented a list of questions about the breaches to Yahoo and demanded an answer no later than Feb. 23.

“We’re in receipt of the letter, reviewing it and will respond as appropriate,” a Yahoo spokesperson said.