Yahoo Notifies Users of More Malicious Activity (Update)

[tao]

This time, it's about the forged cookies which granted hackers access to people's accounts without passwords

 

Yahoo users may have had their accounts accessed by hackers without them even having to use passwords to get in, Yahoo is notifying users once more. Instead of passwords, hackers are believed to have used forged cookies instead of passwords. 

 

The issue had already been disclosed in the November 2016 SEC filing, but considering the size of the breaches the company disclosed in September and December, which affected 500 million accounts and 1 billion accounts, respectively, the issue went pretty much unnoticed.

 

"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account. We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016," reads Yahoo's warning to users.

 

According to the company, the forged cookies have been invalidated, while Yahoo systems have been hardened in order to secure them against similar attacks. Of course, this is what everyone thought before the previously disclosed breaches too.  "We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts," Yahoo adds.

 

"Technical details of forged cookies attacks are unclear, but it seems that Yahoo had some serious problems with authentication and session management mechanisms. It's a good example of how an application logic flaw can cost millions. It's certainly the right decision to notify users, however such a delay, if not justified or excused, can trigger a collective lawsuit against Yahoo. Once GDPR will be enforced in May 2018, Yahoo may face huge fines for such undue delays bordering with negligence," security firm High-Tech Bridge CEO, Ilia Kolochenko, told Softpedia.

 

Safety steps

Users are advised to review all their accounts for suspicious activities, to be cautious of any unsolicited communications asking for their personal information or sending them to web pages asking for personal information, which may very well be phishing attacks. Avoiding to click on links and to download attachments is also a good way to keep yourself safe from various malware and ransomware attacks.

 

Another advise Yahoo has for users is to start using the Yahoo Account Key, which basically turns your phone into your password. Every time you try to log into your account, instead of typing in your password, you'll see a notification on your phone's screen, which you can validate or not in order to permit access to your account. This new way to log in replaces the two-step authentication everyone (hopefully) had in place.

 

While the breaches were well-known, the fact that people's accounts may have been accessed without their passwords went a bit under the radar. The question is, however, why Yahoo didn't notify users about this issue beforehand and why did they wait until the middle of February if the issue was known for so many months.

 

Furthermore, it would be great if Yahoo started giving people access to their account activity history for more than the default 30 days so they can check whether anything bad actually happened. At the moment this is impossible.

 

It remains to be seen whether this new revelation will affect the Yahoo-Verizon deal in any way, as it is already known that the September and December data breaches were a bit of a setback for the deal, which was expected to close by the end of the first quarter.

 

Ref:  < http://news.softpedia.com/news/yahoo-notifies-users-of-more-malicious-activity-512996.shtml >

 

 

[Holmes]

Im considering removing my yahoo account.  They get breached then they get breached again.  That by itself is the straw that broke the camels back for me (I should have done this a long time ago).

[mikie]

I use yahoo email and their messenger but wont use the email for anything to do with moneys, or purchases, or credit / banking accounts.

 

Too make me happy - Yahoo needs to allow VoiP for the Yahoo Account Key & other contact phone number.  Yahoo wont accept my google voice phone number. 

 

Also feel uncomfortable they have my birthdate showing in account data - anybody hacks my email can see my birthdate, there's no reason for showing that piece of my identity puzzle.

 

Would imagine other email databases have been stolen that we will never hear about.   Visa called me about a year ago saying somewhere I do online business with was compromised and they were mailing me a new visa card and once used to destroy my old card.  They wouldn't tell me which business it was and Never heard from nor saw in news which business it was.

[nsan3]

They bit the dust the moment they decided to do away with the Chat Rooms. For me Yahoo was a lost cause from Dec 2012. So yeah those who are still with them, need to find a better home for their email activity pronto. This is just my innocent opinion by the way

[pc71520]

Another security breach for Yahoo!...

 

[andy2004]

Got my email today saying mine mine was accessed via the forged cookie between 2015 and 2016.. bit freaking late telling me now in 2017.

[debebee]

Just change your password  and be done with it