Yahoo said that the attackers who managed to create the company's cookies were able to gain access to about 32 million user accounts without password.
“External forensic experts have identified approximately 32 millions user accounts they believe fake cookies were used to breach in 2015 and 2016,” Yahoo disclosed in its annual report filed with the US Securities and Exchange Commission (SEC) on Wednesday.
"We believe that part of this activity is linked to the same state-sponsored hackers who are believed to be responsible for the 2014 security incident. "
Yahoo began to alert some of its customers in mid-February that attackers had access to their accounts using sophisticated cookies.
The company unveiled details of the first hack in September last year, and reported that about 500 million user accounts were violated. Yahoo also said that although passwords and some other information had leaked, hackers were unable to obtain bank account information.
In December, a second one was revealed infringement, in which more than 1 billion accounts are believed to have been stolen in August 2013.
In a statement, Yahoo reported that hackers had stolen names, e-mail addresses, phone numbers, hashed passwords, birthdates, and in some cases, encrypted or unencrypted security questions and answers.
To date, there are approximately 43 lawsuits filed against Yahoo in the United States over the specific security incidents. Last month, Yahoo and Verizon agreed to reduce the price of the upcoming acquisition deal by $350 million in the wake of the two attacks and are expected to share some of the legal and regulatory obligations when the deal between the two companies closes.
The agreement, which so far is valued at about 4.480.000.000 dollars, is expected to be completed in the second quarter of 2017.