Yahoo Inc. (YHOO), which has been reeling from two data breaches that impacted more than 1.5 billion customer accounts and has placed its deal with Verizon Communications Inc. (VZ) in doubt, disclosed late Wednesday yet another potential hit.
According to a Reuters report, Yahoo has been alerting users of potential malicious activity in their accounts, but this time from 2015 and 2016. The previous data breaches, which were the largest in history, occurred in 2013 and 2014.
In a statement to Reuters, Yahoo confirmed it was alerting users who may have been impacted by the malicious code but would not say how many customers it affected. Yahoo said some of the latest potential incident is the result of a “state sponsored actor” that was behind the 2013 and 2014 data breaches. In those cases the culprits got away with email addresses, dates of birth and security question answers. Yahoo said the malicious activity was centered on “forged cookies.” Yahoo said the forged cookies could enable a hacker to access user accounts without the need for a password.
The Sale to Verizon
The latest revelation comes at a perilous time for Yahoo, which is trying to close the sale of its core internet assets to Verizon. Verizon originally agreed to pay $4.85 for those assets, but the deal has been up in the air since Yahoo disclosed the breaches.
In September, Yahoo rocked investors, consumers and Verizon when it revealed certain user-account information was stolen by the state-sponsored actor. At the time, Yahoo said as many as 500 million user accounts were affected by the hack. The stolen information may have included names, email addresses, telephone numbers, dates of birth and hashed passwords, Yahoo said. (See also: Yahoo Confirms Massive Data Breach.)
That was followed by an announcement in mid-December in which Yahoo said it believes an “unauthorized third party” stole data associated with more than 1 billion user accounts in August 2013. Yahoo thinks the 2013 hack is “likely distinct” from the other incident. In November, Yahoo disclosed in a Securities and Exchange Commission filing that law enforcement provided it with data files that a hacker claimed was Yahoo user data. Upon analyzing it with the help of outside forensic experts, Yahoo has said it turned out to be the company’s data.