Yahoo warns users of potential malicious activity on their accounts

Yahoo warns users of potential malicious activity on their accounts
A Yahoo sign at the company's headquarters in Sunnyvale, Calif. (Marcio Jose Sanchez / Associated Press)

Yahoo Inc. is warning users of potentially malicious activity on their accounts between 2015 and 2016. It's the latest development in the Internet company's investigation of a mega-breach that exposed more than 1 billion users' data a few years ago.

Yahoo confirmed Wednesday that it was notifying users that their accounts had potentially been compromised, but it declined to say how many people were affected.


In a statement, the Sunnyvale, Calif., company tied some of the potential compromises to what it has described as the "state-sponsored actor" responsible for the theft of private data from more than 1 billion user accounts in 2013 and 2014. The stolen data included email addresses, birth dates and answers to security questions.

The catastrophic breach raised questions about Yahoo's security and destabilized the company's deal to sell its email service, websites and mobile applications to Verizon Communications Inc.

The newly reported malicious activity revolved around the use of "forged cookies" — strings of data that are used across the web and can enable people to access online accounts without reentering their passwords.

A warning message sent to Yahoo users Wednesday read: "Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account." Some users posted the ones they received to Twitter.

"Within six people in our lab group, at least one other person has gotten this email," said Joshua Plotkin, a biology professor at the University of Pennsylvania. "That's just anecdotal, of course, but for two people in a group of six to have gotten it, I imagine it's a considerable amount."

Yahoo's announcement came hours after reports that Verizon was close to a renegotiated deal to buy Yahoo's core assets at a lower price.

Verizon agreed in July to buy Yahoo's core business for $4.83 billion.

Citing unnamed sources, Bloomberg News said the renegotiated deal would knock about $250 million off that price because of security breaches that were revealed after the initial deal was struck.

In December, Yahoo said hackers had stolen data that could be connected to more than 1 billion accounts. The company said the breach probably occurred in August 2013.

User data that could have been stolen included names, telephone numbers, email addresses and dates of birth, as well as unencrypted security questions and answers.

At the time, Verizon said it would "evaluate the situation as Yahoo continues its investigation" and "review the impact of this new development before reaching any final conclusions."

Yahoo had disclosed a separate hack three months earlier involving approximately 500 million user accounts. That breach occurred in 2014 and went undetected by Yahoo for almost two years.

Verizon said in October that it had reason to believe the 2014 breach had "material impact" on the deal.

By buying Yahoo, analysts have said, Verizon could expand beyond wireless and broadband offerings into the potentially lucrative world of digital advertising.


Yahoo shares rose 1.4% on Wednesday to $45.65. Verizon shares fell 0.4% to $48.08.

Staff writer Samantha Masunaga contributed to this report. 



1:40 p.m.: This article was updated with stock prices.​​​​

12 p.m.: This article was updated with a comment from an affected user and additional details.

This article was originally published at 10:40 a.m.