Menu
Yahoo warns users of account breaches related to recent attacks

Yahoo warns users of account breaches related to recent attacks

'A forged cookie may have been used ... to access your account'

Yahoo has begun warning individual users that their accounts with the service may have been compromised in a massive data breach it reported late last year.

The warning, in email messages sent from Yahoo CISO Bob Lord, tell users that a forged cookie may have been used to access their accounts in previous years.

The warning to Yahoo users come at the same time that news reports suggest that Verizon Communications, in negotiations to buy Yahoo, may be seeking a discount of US$250 million because of the data breaches.

In December, Yahoo reported that data associated with more than 1 billion user accounts was stolen in August 2013. Less than three months earlier, the company reported a separate data breach affecting more than 500 million users that originally occurred in late 2014.

In a new warning to users sent Wednesday, Yahoo said the forged cookie problem allowed hackers to gain access to user accounts without passwords. The company connected the issue to the breach it reported in September.

"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account," the new email from Yahoo says. "We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016."

Yahoo has not identified the state-sponsored actor. The new email was sent to users whose accounts were breached in what was apparently a general attack. Individual users who seem to have been specifically targeted by the state-sponsored actor were sent an additional notice.

Yahoo recommended that users review their accounts for suspicious activity, be cautious of unsolicited communications that ask for personal information, and avoid clicking on links or downloading attachments from suspicious email messages. The company asked users to consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password.

"We invalidated the forged cookies and hardened our systems to secure them against similar attacks," Yahoo said in the new email. "We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags breachYahoocybersecurity

Featured

Slideshows

Ingram Micro maintains Showcase 2018 momentum in Wellington

Ingram Micro maintains Showcase 2018 momentum in Wellington

Ingram Micro maintained Showcase 2018 momentum in Wellington, hosting more than 40 vendors at TSB Arena. Under the banner of Leading the Way, the event demonstrated what’s new, what’s next and how it can be used to improve business and everyday life.

Ingram Micro maintains Showcase 2018 momentum in Wellington
Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro kickstarted Showcase 2018 in Christchurch, hosting more than 40 vendors at Horncastle Arena. Under the banner of Leading the Way, the event demonstrated what’s new, what’s next and how it can be used to improve business and everyday life.

Ingram Micro launches Showcase 2018 in Christchurch
Data breach notification laws in NZ: How can partners prepare?

Data breach notification laws in NZ: How can partners prepare?

This exclusive Reseller News Roundtable outlined the responsibilities facing security partners today, assessing risk while evaluating the role of the vendor in providing added layers of protection.

Data breach notification laws in NZ: How can partners prepare?
Show Comments