Yahoo has begun warning individual users that their accounts
with the service may have been compromised in a massive data
breach it reported late last year.
The warning, in email messages sent from Yahoo CISO Bob
Lord, tell users that a forged cookie may have been used to
access their accounts in previous years.
The warning to Yahoo users come at the same time that news
reports suggest that Verizon Communications, in
negotiations to buy Yahoo, may be
seeking a discount of US$250 million because of the data
Yahoo reported that data associated with more than 1
billion user accounts was stolen in August 2013. Less than
three months earlier, the company reported a separate data
breach affecting more than 500 million users that originally
occurred in late 2014.
In a new warning to users sent Wednesday, Yahoo said the forged
cookie problem allowed hackers to gain access to user accounts
without passwords. The company connected the issue to the
breach it reported in September.
“Based on the ongoing investigation, we believe a forged cookie
may have been used in 2015 or 2016 to access your account,” the
new email from Yahoo says. “We have connected some of the
cookie forging activity to the same state-sponsored actor
believed to be responsible for the data theft we disclosed on
Sept. 22, 2016.”
Yahoo has not identified the state-sponsored actor. The new
email was sent to users whose accounts were breached in
what was apparently a general attack. Individual users who seem
to have been specifically targeted by the state-sponsored actor
were sent an additional notice.
Yahoo recommended that users review their accounts for
suspicious activity, be cautious of unsolicited communications
that ask for personal information, and avoid clicking on links
or downloading attachments from suspicious email messages. The
company asked users to consider adopting its Yahoo Account Key,
an authentication tool that eliminates the need for a password.
“We invalidated the forged cookies and hardened our systems to
secure them against similar attacks,” Yahoo said in the new
email. “We continuously enhance our safeguards and systems that
detect and prevent unauthorized access to user accounts.”