Yahoo stated that the attackers managed to create cookies of the company, were able to gain access to about 32 million user accounts without code access.
"The outsiders forensic experts have identified approximately 32 million user accounts that they believe fake cookies were used to breach in 2015 and 2016,” Yahoo disclosed in its annual report, filed with the US Securities and Exchange Commission (SEC) on Wednesday.
"We believe that part of this activity is linked to the same state-sponsored hackers who are believed to be responsible for the 2014 security incident. "
Yahoo began to alert some of its customers in mid-February that attackers had access to their accounts using sophisticated cookies.
The company disclosed the details of the first hack in September last year, and reported that around 500 million user accounts were compromised. Yahoo also said that although passwords and some other information were leaked, the hackers were unable to obtain data bank accounts.
In December a second violation was revealed, believed to have stolen more than 1 billion accounts in August of 2013.
In a statement, Yahoo reported that hackers had stolen names, e-mail addresses, phone numbers, hashed passwords, birthdates, and in some cases, encrypted or unencrypted security questions and answers.
To date, there are approximately 43 lawsuits filed against Yahoo in the United States over these security incidents. Last month, Yahoo and Verizon agreed to reduce it price of the upcoming $350 million buyout deal in the wake of the two attacks and are expected to share some of the legal and regulatory responsibilities when the deal between the two companies closes.
The agreement, which so far is valued at about 4.480.000.000 dollars, is expected to be completed in the second quarter of 2017.