BlankYahoo notifies users of 'forged cookie' breach Mike Snider and Elizabeth
Weise , USA TODAY
Some Yahoo account holders are being notified that an intruder
may have accessed their account without the need of a password. The incidents
stem from the data theft that Yahoo disclosed on Sept. 22, 2016, in which
at least 500 million Yahoo accounts were'stolen from the company in 2014 ' an
action that the online media company believed was performed by a state-sponsored
actor. In the ongoing investigation into that breach, Yahoo has recently
notified some users via email that "we believe a forged cookie may have been
used
in 2015 or 2016 to access your account. Forensic experts used by Yahoo said
that
the intruder created forged cookies that "could allow an intruder to access
users' accounts without a password," said the email to users, which was signed
at the bottom by Bob Lord, Yahoo's chief information security officer. In
a statement to USA TODAY, Yahoo said the investigation into the breach "has
identified user accounts for which we believe forged cookies were taken or
used. 'Yahoo is in the process of notifying all potentially affected account
holders. Yahoo has invalidated the forged cookies so they cannot be used again.
Yahoo's notification could be timely with reports of a tentative renegotiated
deal for Verizon's acquisition of the company, giving the telecom giant a
$250 million discount on its original $4.8 billion bid. This forged cookie
spoofing tactic "has been around for years (and) ... seems unlikely that Yahoo
wouldn't have known about this,'said Ryan O'Leary, vice president of the'Threat
Research Center and technical support at WhiteHat Security in Santa Clara,
Calif. So it could be that "they wanted to release this as Yahoo, so that they
didn't have to release it as Verizon later on,' he said. Cookies are long
string of letters and numbers that your computer stores to make it easy to log
into a site when you return. '"When you get to the site, it sees the cookie
and knows who you are and logs you in automatically,' O'Leary said. The bad
news? 'If hackers steal that cookie, they can use it to log into your account,"
O'Leary said. Yahoo declined comment about the timing and size of the user
notifications. In addition to the 2014 breach, Yahoo also disclosed in December
2016 what is expected to be the largest reported data breach ever, involving
the
theft of data associated with more than one billion user accounts in August
2013. The Securities and Exchange Commission is reportedly investigating both
breaches and whether Yahoo should have notified investors sooner about the
incidents. Yahoo noted in a'November 2016 SEC filing that it was cooperating
with the the SEC, Federal Trade Commission and other federal, state, and foreign
governmental officials and agencies including "a number of State Attorneys
General, and the U.S. Attorney's office for the Southern District of New York.