Yahoo Announces Yet Another Data Breach
Yesterday, Yahoo emailed a number of users regarding yet another data breach. The company alleges that state-sponsored attackers were able to access Yahoo accounts by using a cookie forging attack, which allowed the hackers to gain access to user accounts without the user’s password.
The email read, “Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”
This most recent breach seems to be separate from the August 2013 breach, which involved more than one billion user accounts. However, some of the 2015 and 2016 attacks could have links to the 2014 state-sponsored attack that involved 500 million accounts. The company has not addressed how many additional users may have been affected in this third attack.
Apparently, the attackers stole Yahoo’s source code and used that to generate the cookies. The company said they invalidated the cookies as soon as they learned of the attack, which locked out the hackers.
This most recent announcement follows news that Verizon, which is purchasing Yahoo, has asked for a $250 million discount after learning of the 2013 and 2014 hacks. Yahoo is also facing multiple class action lawsuits and inquiries from the SEC and other lawmakers.