Photo: Paul Chinn, The Chronicle
As it apparently gets closer to selling its core Internet business to Verizon — at a reduced price — Yahoo is warning users of potentially malicious activity on their accounts between 2015 and 2016, the latest development in the Sunnyvale company’s investigation of a mega-breach that exposed 1 billion users’ data several years ago.
Yahoo confirmed Wednesday that it is notifying users that their accounts had potentially been compromised but declined to say how many people are affected.
Meanwhile, the company is near a deal to lower the price of the sale of its core business to Verizon by close to $300 million, a person with knowledge of the matter said Wednesday.
The original deal, announced last year, carried a $4.8 billion price tag.
If completed, the revised agreement would help Yahoo finally move past questions about the fate of the deal, after the troubled company disclosed the hacking incidents, which affected several hundred million Yahoo accounts.
Since then, Verizon executives have negotiated hard in public and in private, arguing that the revelations could have a material effect on the deal.
Under the revised terms, the two companies are expected to share legal responsibility and costs for the data breaches, the person with knowledge of the matter said.
For Yahoo, concluding a revised deal would let the company move on from a protracted sales process that has played out in public.
The Web pioneer finally pursued the sale of its Internet business — including its still-popular mail, Yahoo Finance and sports arms — after years of investor discontent under a succession of chief executives, most recently Marissa Mayer.
When the sale closes, the remaining company — to be renamed Altaba — will have investments in the Chinese e-commerce giant Alibaba, as well as Yahoo Japan and a small portfolio of patents.
As for the latest breach revelations, Yahoo tied some of the potential compromises to what it has described as the “state-sponsored actor” responsible for the theft of private data from more than 1 billion user accounts in 2013 and 2014. The stolen data included email addresses, birth dates and answers to security questions.
The malicious activity that was the subject of the user warnings revolved around the use of “forged cookies” — strings of data which are used across the web and can sometimes allow people to access online accounts without re-entering their passwords.
A warning message sent to Yahoo users Wednesday read: “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.” Some users posted the ones they received to Twitter.
“Within six people in our lab group, at least one other person has gotten this email,” Joshua Plotkin, a biology professor at the University of Pennsylvania, said. “That’s just anecdotal of course, but for two people in a group of six to have gotten it, I imagine it’s a considerable amount.”
Plotkin said in a telephone interview that he wasn’t concerned because he used his Yahoo email for messages that were “close to spam.” In the message he posted to Twitter , he joked that “hopefully the cookie was forged by a state known for such delicacies.”