Mike Snider, and Elizabeth Weise

USA TODAY

Some Yahoo account holders are being notified that an intruder may have accessed their account without the need of a password.

The incidents stem from the data theft that Yahoo disclosed on Sept. 22, 2016, in which at least 500 million Yahoo accounts were stolen from the company in 2014 — an action that the online media company believed was performed by a state-sponsored actor.

In the ongoing investigation into that breach, Yahoo has recently notified some users via email that "we believe a forged cookie may have been used in 2015 or 2016 to access your account."

Forensic experts used by Yahoo said that the intruder created forged cookies that "could allow an intruder to access users’ accounts without a password," said the email to users, which was signed at the bottom by Bob Lord, Yahoo's chief information security officer.

In a statement to USA TODAY, Yahoo said the investigation into the breach "has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again."

Yahoo's notification could be timely with reports of a tentative renegotiated deal for Verizon's acquisition of the company, giving the telecom giant a $250 million discount on its original $4.8 billion bid.

This forged cookie spoofing tactic "has been around for years (and) ... seems unlikely that Yahoo wouldn't have known about this,” said Ryan O'Leary, vice president of the Threat Research Center and technical support at WhiteHat Security in Santa Clara, Calif. So it could be that "they wanted to release this as Yahoo, so that they didn’t have to release it as Verizon later on,” he said.



Cookies are long string of letters and numbers that your computer stores to make it easy to log into a site when you return. "When you get to the site, it sees the cookie and knows who you are and logs you in automatically,” O'Leary said.

The bad news? “If hackers steal that cookie, they can use it to log into your account," O'Leary said.

Yahoo declined comment about the timing and size of the user notifications.

In addition to the 2014 breach, Yahoo also disclosed in December 2016 what is expected to be the largest reported data breach ever, involving the theft of data associated with more than one billion user accounts in August 2013.

The Securities and Exchange Commission is reportedly investigating both breaches and whether Yahoo should have notified investors sooner about the incidents. Yahoo noted in a November 2016 SEC filing that it was cooperating with the the SEC, Federal Trade Commission and other federal, state, and foreign governmental officials and agencies including "a number of State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York."

More:

Yahoo relief: Verizon price cut not so bad, report says

SEC said to probe Yahoo data breaches

Yahoo results best estimates, but Verizon deal pushed back

Yahoo could pay for breach negligence in lower-priced Verizon deal