Yahoo users may have had their accounts accessed by hackers without them even having to use passwords to get in, the company is notifying users once more. Instead of passwords, hackers are believed to have used forged cookies to access the accounts.
The issue had already been disclosed in the November 2016 SEC filing, but considering the size of the breaches the company disclosed in September and December, which affected 500 million accounts and 1 billion accounts, respectively, the issue went pretty much unnoticed.
"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account. We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016," reads Yahoo's warning to users.
According to the company, the forged cookies have been invalidated, while Yahoo systems have been hardened in order to secure them against similar attacks. Of course, this is what everyone thought before the previously disclosed breaches too. "We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts," Yahoo adds.
"Technical details of forged cookies attacks are unclear, but it seems that Yahoo had some serious problems with authentication and session management mechanisms. It's a good example of how an application logic flaw can cost millions. It's certainly the right decision to notify users, however such a delay, if not justified or excused, can trigger a collective lawsuit against Yahoo. Once GDPR will be enforced in May 2018, Yahoo may face huge fines for such undue delays bordering with negligence," security firm High-Tech Bridge CEO, Ilia Kolochenko, told Softpedia.
Users are advised to review all their accounts for suspicious activities, to be cautious of any unsolicited communications asking for their personal information or sending them to web pages asking for personal information, which may very well be phishing attacks. Avoiding to click on links and download attachments is also a good way to keep yourself safe from various malware and ransomware attacks.
Another advise Yahoo has for users is to start using the Yahoo Account Key, which basically turns your phone into your password. Every time you try to log into your account, instead of typing in your password, you'll see a notification on your phone's screen, which you can validate or not in order to permit access to your account. This new way to log in replaces the two-step authentication everyone (hopefully) had in place.
While the breaches were well known, the fact that people's accounts may have been accessed without their passwords went a bit under the radar. The question, however, is why Yahoo didn't notify users about this issue beforehand and why they waited until the middle of February if the issue was known for so many months.
Furthermore, it would be great if Yahoo started giving people access to their account activity history for more than the default 30 days so they can check whether anything bad actually happened. At the moment, this is impossible.
It remains to be seen whether this new revelation will affect the Yahoo-Verizon deal in any way, as it is already known that the September and December data breaches were a bit of a setback for the deal, which was expected to close by the end of the first quarter.