It was only last year that Yahoo fessed up to TWO events of data breaches to hit their records. One of the two breaches occurred in 2013 and the hackers gained access to over 1 billion Yahoo user accounts. This included their private information and other sensitive details that may have included credit card information and home addresses.
Yahoo assured their users that they had beefed up their security measures and recommended that users replace their passwords. Account users grumbled but ultimately followed Yahoo’s recommendation. The world moved on and hoped it wouldn’t happen again. Well, imagine that–it happened again.
Emails from Yahoo started reaching their users this month about a data security issue. One of our readers happen to be one of such people. The email that was forwarded to us reads something like this:
“Dear (our reader),
We are writing to inform you about a data security issue that involves your Yahoo account. We have taken steps to secure your account and are working closely with law enforcement.
Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account. We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016. Those users targeted by the state-sponsored actor were sent an additional notification like the one found here: https://help.yahoo.com/kb/SLN26995.html
We invalidated the forged cookies and hardened our systems to secure them against similar attacks. We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.
We encourage you to follow these security recommendations:
- Review all you accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.
For More Information
For more information about this issue and our security resources, please visit the Yahoo Account Security Issue FAQs page available at https://yahoo.com/security-update.
Protecting your information is important to us and we work continuously to strengthen our defenses.
Chief Information Security Officer
Our reader informed us that they changed their password once more and is increasingly inclined to delete their Yahoo account altogether. They also expressed severe misgivings and doubt over the Yahoo Account key which forgoes the need for a password. Our reader said, “The hacker–whoever it is, gained access to my account without my password to begin with. So doesn’t that suggest that going password-less won’t really do anything?”
Forged cookies are digital keys that allow access to accounts without re-entering the password. Think of the ‘remember me’ option in your browser. That is what the “state-sponsored actor” used to gain access to the Yahoo accounts. This is a rather disconcerting blow to a still recovering user base. So far, the total number of customers affected by the cookie based breach is still unknown.