Yahoo

Yahoo

An unauthorised third party gained access to the company's secret code to learn how to fake specific cookies, which allowed the intrusive party to have unrestricted access to almost 32 million user accounts.

The compromised information included names, email addresses, telephone numbers, hashed passwords, dates of birth, and, in some cases, encrypted or unencrypted security questions and answers, but payment and bank information remained safe.

Source: https://www.zdnet.com/article/yahoo-says-32m-user-accounts-accessed-via-cookie-forging-attack/

TPRM report: https://scoringcyber.rankiteo.com/company/yahoo

"id": "yah1236722",
"linkid": "yahoo",
"type": "Breach",
"date": "03/2017",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'customers_affected': '32 million'}],
 'attack_vector': 'Cookie Manipulation',
 'data_breach': {'number_of_records_exposed': '32 million',
                 'personally_identifiable_information': True,
                 'type_of_data_compromised': ['Names',
                                              'Email addresses',
                                              'Telephone numbers',
                                              'Hashed passwords',
                                              'Dates of birth',
                                              'Encrypted or unencrypted '
                                              'security questions and '
                                              'answers']},
 'description': "An unauthorised third party gained access to the company's "
                'secret code to learn how to fake specific cookies, which '
                'allowed the intrusive party to have unrestricted access to '
                'almost 32 million user accounts. The compromised information '
                'included names, email addresses, telephone numbers, hashed '
                'passwords, dates of birth, and, in some cases, encrypted or '
                'unencrypted security questions and answers, but payment and '
                'bank information remained safe.',
 'impact': {'data_compromised': ['Names',
                                 'Email addresses',
                                 'Telephone numbers',
                                 'Hashed passwords',
                                 'Dates of birth',
                                 'Encrypted or unencrypted security questions '
                                 'and answers']},
 'title': 'Unauthorized Access to User Accounts',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Stolen secret code for cookie generation'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.