Cyber Incident Victim: Yahoo Malaysia

In late 2014, a state-sponsored actor breached Yahoo's network and stole a copy of user account information associated with at least 500 million accounts. The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords (primarily secured with bcrypt), and in some cases encrypted or unencrypted security questions and answers. The investigation confirmed the breach did not compromise unprotected passwords, payment card data, or bank account information, as those were not stored in the affected systems. Yahoo publicly disclosed this incident on September 22, 2016, notifying potentially affected users and initiating security measures including password resets, invalidation of unencrypted security questions, and recommendations to adopt Yahoo Account Key for passwordless authentication. The company established a dedicated security update FAQ page and noted its collaboration with law enforcement. Yahoo also highlighted its existing program for detecting state-sponsored attacks, which had notified approximately 10,000 users since December 2015.

Separately, Yahoo’s investigation uncovered a distinct incident involving attackers exploiting stolen proprietary code to forge authentication cookies, enabling unauthorized access to accounts without passwords in 2015 and 2016. This vulnerability was first acknowledged in an October 2016 SEC filing and detailed in a December 14, 2016, security notice. Between February 15 and 16, 2017, Yahoo notified additional users that forged cookies might have compromised their accounts, attributing the activity to a likely state actor. The company invalidated all forged cookies to prevent further misuse. This discovery occurred during Verizon’s acquisition negotiations, leading to a $250 million reduction in Yahoo’s sale price from the original $4.8 billion. The 2017 notifications represented the final phase of the cookie breach investigation, targeting a nearly complete list of affected users.