Yahoo Now Reporting a Third Attack, Again Blames “State-Sponsored” Hackers
Did you think the bad times for Yahoo were over? Umm, nope. The company started notifying its users yesterday about cyber attackers potentially compromising their accounts "in the past two years." Yes, the company is once again late to the party, notifying about the malicious activity months after it became aware of it.
We are writing to inform you about a data security issue that involves your Yahoo account. Our outside forensics experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password.
Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 and 2016 to access your account.
The latest notification comes two months after the company revealed that data from more than 1 billion users had been compromised in August 2013, making it the largest breach in history. This notification had come after an earlier report of a 2014 breach that had impacted over 500 million users. These two data breaches that impacted over 1.5 billion users in total are now followed by a separate attack - the number of affected users is unknown.
As with the last two breaches, the company continues to blame an unnamed "state-sponsored" hacking group. Yahoo believes that the latest cookie-forging activity is also linked to the same group. However, the name of the group or the state backing these hackers remains unspecified. Since the public reports of last two breaches in 2016, security experts have pointed to Russia and China, as always. However, we are yet to see any evidence or hear from Yahoo about this "nation-state" hacking group.
Yahoo said that the company first reported the cookie forging activity in a filing in November 2016. While this report was probably dwarfed by the leak of over 1 billion Yahoo accounts, Yahoo has only started to notify its users this week.
The company's investigation has revealed that the latest attack involved the use of forged cookies, that were used to access people’s accounts without entering their passwords.
"The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again." - Yahoo
Earlier this week, two senators grilled the company over ducking lawmakers' questions. Yahoo has to address these unanswered questions by February 23.