An unauthorised third party gained access to the company's secret code to learn how to fake specific cookies, which allowed the intrusive party to have unrestricted access to almost 32 million user accounts.
The compromised information included names, email addresses, telephone numbers, hashed passwords, dates of birth, and, in some cases, encrypted or unencrypted security questions and answers, but payment and bank information remained safe.
Source: https://www.zdnet.com/article/yahoo-says-32m-user-accounts-accessed-via-cookie-forging-attack/
TPRM report: https://scoringcyber.rankiteo.com/company/yahoo
"id": "yah1236722",
"linkid": "yahoo",
"type": "Breach",
"date": "03/2017",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '32 million'}],
'attack_vector': 'Cookie Manipulation',
'data_breach': {'number_of_records_exposed': '32 million',
'personally_identifiable_information': True,
'type_of_data_compromised': ['Names',
'Email addresses',
'Telephone numbers',
'Hashed passwords',
'Dates of birth',
'Encrypted or unencrypted '
'security questions and '
'answers']},
'description': "An unauthorised third party gained access to the company's "
'secret code to learn how to fake specific cookies, which '
'allowed the intrusive party to have unrestricted access to '
'almost 32 million user accounts. The compromised information '
'included names, email addresses, telephone numbers, hashed '
'passwords, dates of birth, and, in some cases, encrypted or '
'unencrypted security questions and answers, but payment and '
'bank information remained safe.',
'impact': {'data_compromised': ['Names',
'Email addresses',
'Telephone numbers',
'Hashed passwords',
'Dates of birth',
'Encrypted or unencrypted security questions '
'and answers']},
'title': 'Unauthorized Access to User Accounts',
'type': 'Data Breach',
'vulnerability_exploited': 'Stolen secret code for cookie generation'}