Stop me if you’ve heard this before, but Yahoo was hacked. Yes, again. Or better said, your Yahoo account may have been breached by hackers. This is the third time in a matter of months that Yahoo disclosed a massive security breach. It’s unclear how many users were affected, but what’s remarkable about this new attack is that hackers were able to access accounts without needing the user’s password. That means simply changing your Yahoo password might not be enough to protect you from malicious individuals.
According to Ars Technica , Yahoo sent out a round of notifications to affect users, telling them their accounts may have been accessed by unauthorized parties at some point in 2015 and/or 2016.
“Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account,” the message reads.
Apparently, hackers were able to steal software from Yahoo’s internal servers, which was then used to create fake cookies which could unlock user accounts with the attacker actually needing credentials.
A Yahoo user posted on Twitter the message he received from the company.
Hopefully the cookie was forged by a state known for such delicacies. #yahoo #security #baking pic.twitter.com/7gCeEd3Y51
— Joshua B. Plotkin (@jplotkin) February 15, 2017
The attacker is most likely a “state actor,” the company said, although Yahoo didn’t reveal any other details.
Even if this new hack may have not as many hundreds of millions of users as the previous ones, it’s still dangerous given that hackers developed more sophisticated tools to breach an account that should be protected by a password.
As Ars further explains, Yahoo did mention the cookie-based attack quietly in a SEC filing in October 2016. That’s definitely not the way to do it, considering that not everyone reads SEC filings.
“Forged cookies could allow an intruder to access users’ accounts without a password,” Yahoo explained. “Based on an ongoing Yahoo investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies.”
The new hack was revealed just as news broke out that Verizon and Yahoo are renegotiating the terms of the deal. Verizon will pay for Yahoo some $250 million less than the initial $4.8 billion offer. The reason? The previous two major hacks that compromised Yahoo accounts belonging to hundred of millions of users.
UPDATE: Yahoo reached out to BGR to note that the hack is not new even though it just made the news, and that it was disclosed last year. Furthermore, the fake cookies have been neutralized.
“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a spokesperson said. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”