Yahoo hacked again: culprits used forged cookies to break into users’ accounts
Yahoo successfully continues to lose its outstanding reputation. Do you think previous data breaches[1] that affected more than 1.5 billion Yahoo users[2] forced the company to take preventative measures to finally patch all security vulnerabilities and make the website and its services secure again? Sadly, it doesn’t seem that Yahoo managed to achieve something in security field, because another data breach was identified lately. However, the incident was, to say at least, overlooked – the company says it happened somewhen between 2015 and 2016, and an official announcement about it was published on December 14, 2016[3]. According to this message from Yahoo, the company has spotted data security problems regarding Yahoo user accounts, and that their experts believe that attackers used a technical trick using forged cookies[4], which allowed them to log into Yahoo accounts without even having victims’ account passwords. The company claims to have these forged cookies invalidated, and believes that offenders might be related to same state-sponsored actors who initiated the attack revealed on September 22, 2016. However, this breach definitely has side effects for the company itself, because reportedly Verizon, which was intended to buy Yahoo’s core Internet business for $4.83, now wants to get a discount of $250 million to 350$ million[5].
Despite the fact that company claims that these issues fixed, users can hardly trust Yahoo again. If you received an email from Yahoo called “Important security information for Yahoo users,” you need to take actions to protect your account immediately. Yahoo claims that hackers may have accessed users’ names, telephone numbers, birthdates, passwords, encrypted/unencrypted security questions and answers. However, Yahoo says that it believes payment data and bank account information were not affected as it was not stored on the system they think was affected. The question is, can you trust these words? Therefore, we suggest you take certain measures to secure your CC and bank account information immediately.
Yahoo advises users to change passwords and security questions for Yahoo account as well as accounts that are linked to it or created using same login details. Users should also check their accounts for suspicious activity and avoid emails asking for personal information or containing vague-looking URLs or attachments. The company also advises using Yahoo’s Account Key, which, once enabled, sends a notification to user’s mobile phone, asking to confirm an attempt to log into the Yahoo account.
- ^ Sam Thielman. Yahoo hack: 1bn accounts compromised by biggest data breach in history. The Guardian. News, Sport and Opinion.
- ^ SEC set to grill Yahoo for failure to report 1.5bn user data breaches - report. RT. The First Russian 24/7 English-language News Channel Which Brings the Russian View on Global News.
- ^ Yahoo Security Notice December 14, 2016. Yahoo Help.
- ^ Alyssa Newcomb. What Is a Forged Cookie and How Did it Allow Hackers to Get Into My Yahoo Account?. NBC News. Breaking News and Top Stories.
- ^ David Shepardson, Jessica Toonkel. Verizon close to Yahoo deal, price cut of $250-350 million: sources. Reuters. Business and Financial News, Breaking US and International News.