Business & Tech

Yahoo issues another warning in fallout from hacking attacks

Verizon is close to a renegotiated deal for Yahoo Inc.’s Internet properties, spurred by data breaches, that would reduce the price of the $4.8 billion agreement by about $250 million.
Marcio Jose Sanchez/Associated Press/File 2015
Verizon is close to a renegotiated deal for Yahoo Inc.’s Internet properties, spurred by data breaches, that would reduce the price of the $4.8 billion agreement by about $250 million.

LONDON — Yahoo is warning users of potentially malicious activity on their accounts between 2015 and 2016, the latest development in the internet company’s investigation of a mega-breach that exposed 1 billion users’ data several years ago.

Yahoo confirmed Wednesday that it was notifying users that their accounts had potentially been compromised but declined to say how many people were affected.

In a statement, Yahoo tied some of the potential compromises to what it has described as the ‘‘state-sponsored actor’’ responsible for the theft of private data from more than 1 billion user accounts in 2013 and 2014. The stolen data included e-mail addresses, birth dates, and answers to security questions.


The catastrophic breach raised questions about Yahoo’s security and destabilized the company’s deal to sell its e-mail service, websites, and mobile applications to Verizon Communications.

Get Talking Points in your inbox:
An afternoon recap of the day’s most important business news, delivered weekdays.
Thank you for signing up! Sign up for more newsletters here

The malicious activity that was the subject of the user warnings revolved around the use of ‘‘forged cookies’’ — strings of data which are used across the Web and can sometimes allow people to access online accounts without re-entering their passwords.

A warning message sent to Yahoo users Wednesday read: ‘‘Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.’’ Some users posted the ones they received to Twitter.

‘‘Within six people in our lab group, at least one other person has gotten this e-mail,’’ Joshua Plotkin, a biology professor at the University of Pennsylvania, said. ‘‘That’s just anecdotal of course, but for two people in a group of six to have gotten it, I imagine it’s a considerable amount.’’

Plotkin said in a telephone interview that he wasn’t concerned because he used his Yahoo e-mail for messages that were ‘‘close to spam.’’ In the message he posted to Twitter , he joked that ‘‘hopefully the cookie was forged by a state known for such delicacies.’’


Meanwhile, Verizon is close to a renegotiated deal for Yahoo Inc.’s Internet properties that would reduce the price of the $4.8 billion agreement by about $250 million after the revelation of security breaches, according to people familiar with the matter.

In addition to the discount, Verizon and the entity that remains of Yahoo after the deal, to be renamed Altaba Inc., are expected to share any ongoing legal responsibilities related to the breaches, said the people, who asked not to be identified discussing private information. An announcement of the new agreement could come in a matter of days or weeks, said the people. The revised agreement isn’t final and could still change, they said.

Yahoo, based in Sunnyvale, Calif., erased an earlier decline on the news, climbing 1.4 percent to $45.65 while Verizon slid 0.37 percent to $48.08. Shareholders would have to approve a revised deal.

‘‘It looks like they’re going to get a price cut — but it’s not dramatic,’’ said Brett Harriss, an analyst at Gabelli & Co. There is ‘‘more certainty around there actually being a sale.’’

Yahoo said in December that cyberthieves in 2013 siphoned information including users’ e-mail addresses, scrambled account passwords, and dates of birth. The stolen data may allow criminals to go after more sensitive personal information elsewhere online. The announcement followed news in September of a 2014 breach that affected at least 500 million customer accounts.


Representatives of Yahoo, Verizon, and Verizon’s AOL unit declined to comment.

Last month, Yahoo said the sale would be delayed to the second quarter as the company assesses the impact from the breaches and meets closing conditions.

The deal was first announced in July and had been set to wrap in the first quarter of 2017.

The potential reworked deal signals that investigations into the breaches have been completed -- a key concern for investors, according to a note from Kunal Madhukar, an analyst at SunTrust Robinson Humphrey.

Verizon, based in New York, is buying Yahoo for its billion users as it tries to expand beyond a maturing wireless and landline business into mobile media and advertising ventures. Verizon had been seeking either a discount or termination of the deal in the wake of the hacks.

Yahoo Chief Executive Officer Marissa Mayer is under pressure to conclude the deal. Her failure to turn around the company led to a bidding process that Verizon won in July. Mayer was running the company when both of the hacks took place.

Yahoo had said it hadn’t been able to identify the ‘‘intrusion’’ associated with the theft by a third party in August 2013. The event was unearthed by forensic experts after law enforcement investigators warned the company about a potential breach.

The attacks on Yahoo’s system have sparked concerns from regulators and prompted lawsuits. In November, the company said it was cooperating with federal, state, and foreign governmental officials and agencies seeking information about the 2014 hack, including the Federal Trade Commission and the U.S. Securities and Exchange Commission. In December, following the admission of a second hack, a White House spokesman said the FBI was probing the Yahoo hack as well.

Material from Bloomberg News was used in this report.