Yahoo has sent out another round of account compromise notifications, warning users that hackers may have accessed their accounts by using forged cookies instead of passwords. How many in total, the company wouldn’t say.
This attack is not exactly news, as the company disclosed it in November 2016 in a SEC filing. But, after the revelations about the massive Yahoo breaches from 2013 and 2014, it passed largely unnoticed.
A first round of notifications to potentially affected users went out in December 2016, but that was obviously not the end of it.
According to the SEC filing, the attacker – believed to be the same “state-sponsored actor” that had access to the Yahoo’s network in late 2014 – created cookies that allowed access to users’ accounts or account information without a password.
According to some of the notifications published by the most recent recipients, the attacker seems to have used the forged cookies to access user accounts in 2015 and 2016. Yahoo has invalidated those cookies in the meantime.
“While it is ‘news’ that Yahoo is making another announcement about a breach, it shouldn’t be surprising,” Jason Hart, Vice President and Chief Technology Officer at Gemalto.
“The company recommended that users consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password. However, tools like this only work if the user remembers to activate them. Given the current security climate, all companies should have multi-factor authentication activated by default for all online accounts. Opt-in security is not an option in this day and age,” he noted. “Now, it only remains to see how much more of a discount Verizon may ask for.”
Yahoo is still in talks with Verizon about the planned acquisition, and the amount the internet giant will go for keeps falling.