Yahoo warns users of account breaches related to recent attacks

'A forged cookie may have been used ... to access your account'

Yahoo is warning users about potential breaches of their accounts.
Michael Kan

Yahoo has begun warning individual users that their accounts with the service may have been compromised in a massive data breach it reported late last year.

The warning, in email messages sent from Yahoo CISO Bob Lord, tell users that a forged cookie may have been used to access their accounts in previous years.

The warning to Yahoo users come at the same time that news reports suggest that Verizon Communications, in negotiations to buy Yahoo, may be seeking a discount of $250 million because of the data breaches.

In December, Yahoo reported that data associated with more than 1 billion user accounts was stolen in August 2013. Less than three months earlier, the company reported a separate data breach affecting more than 500 million users that originally occurred in late 2014.

In a new warning to users sent Wednesday, Yahoo said the forged cookie problem allowed hackers to gain access to user accounts without passwords. The company connected the issue to the breach it reported in September.

"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account," the new email from Yahoo says. "We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016."

Yahoo has not identified the state-sponsored actor. The new email was sent to users whose accounts were breached in what was apparently a general attack. Individual users who seem to have been specifically targeted by the state-sponsored actor were sent an additional notice.

Yahoo recommended that users review their accounts for suspicious activity, be cautious of unsolicited communications that ask for personal information, and avoid clicking on links or downloading attachments from suspicious email messages. The company asked users to consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password.

"We invalidated the forged cookies and hardened our systems to secure them against similar attacks," Yahoo said in the new email. "We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts."

Related:
Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon