Menu
Yahoo warns users of account breaches related to recent attacks

Yahoo warns users of account breaches related to recent attacks

'A forged cookie may have been used ... to access your account'

Yahoo has begun warning individual users that their accounts with the service may have been compromised in a massive data breach it reported late last year.

The warning, in email messages sent from Yahoo CISO Bob Lord, tell users that a forged cookie may have been used to access their accounts in previous years.

The warning to Yahoo users come at the same time that news reports suggest that Verizon Communications, in negotiations to buy Yahoo, may be seeking a discount of US$250 million because of the data breaches.

In December, Yahoo reported that data associated with more than 1 billion user accounts was stolen in August 2013. Less than three months earlier, the company reported a separate data breach affecting more than 500 million users that originally occurred in late 2014.

In a new warning to users sent Wednesday, Yahoo said the forged cookie problem allowed hackers to gain access to user accounts without passwords. The company connected the issue to the breach it reported in September.

"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account," the new email from Yahoo says. "We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016."

Yahoo has not identified the state-sponsored actor. The new email was sent to users whose accounts were breached in what was apparently a general attack. Individual users who seem to have been specifically targeted by the state-sponsored actor were sent an additional notice.

Yahoo recommended that users review their accounts for suspicious activity, be cautious of unsolicited communications that ask for personal information, and avoid clicking on links or downloading attachments from suspicious email messages. The company asked users to consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password.

"We invalidated the forged cookies and hardened our systems to secure them against similar attacks," Yahoo said in the new email. "We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts."


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags cybersecurityYahoobreach

Featured

Slideshows

Channel celebrates as HP marks 50 years in NZ

Channel celebrates as HP marks 50 years in NZ

HP marked 50 years in New Zealand at an event in the vendor's Auckland's headquarters last night, with a host of key channel figures coming along to celebrate. Photos by HP.

Channel celebrates as HP marks 50 years in NZ
EDGE 2017 - Icebreaker Sessions round 2

EDGE 2017 - Icebreaker Sessions round 2

EDGE guests experience the value of networking at the second round of Icebreaker sessions.. Photos by Maria Stefina

EDGE 2017 - Icebreaker Sessions round 2
EDGE 2017 Dinner Under the Stars

EDGE 2017 Dinner Under the Stars

EDGE's Day 2 keynote and breakout sessions were followed by the Dinner Under the Stars. Over 300 people were present to enjoy a seafood feast and lots of excitement at Hamilton Island's Bougainvillea Marquee. Photos by Maria Stefina.

EDGE 2017 Dinner Under the Stars
Show Comments