Yahoo said that the attackers who managed to create the company's cookies were able to gain access to about 32 million user accounts without a password access.
"External forensic experts have identified approximately 32 million user accounts suspected of using counterfeit cookies to breach in 2015 and 2016," Yahoo said in its annual report to the Securities and Exchange Commission (SEC). Wednesday.
"We believe that part of this activity is linked to the same state-sponsored hackers who are believed to be responsible for the 2014 security incident. "
Yahoo began to alert some of its customers in mid-February that attackers had access to their accounts using sophisticated cookies.
The company revealed the details of the first hack in September last year, and reported that around 500 million were compromised accounts users. Yahoo also said that although passwords and some other information were leaked, the hackers were unable to obtain bank account information.
In December a second violation was revealed, believed to have stolen more than 1 billion accounts in August of 2013.
In a statement, Yahoo reported that hackers had stolen names, e-mail addresses, phone numbers, hashed passwords, birthdates, and in some cases, encrypted or unencrypted security questions and answers.
To date, there are approximately 43 lawsuits filed against Yahoo in the United States over the specific security incidents. Last month, Yahoo and Verizon agreed to reduce the price of the upcoming acquisition deal by $350 million in the wake of the two attacks and are expected to share some of the legal and regulatory obligations when the deal between the two companies closes.
The agreement, which so far is valued at about 4.480.000.000 dollars, is expected to be completed in the second quarter of 2017.