It might be outrightly safe to say that the era of YAHOO! is over
Yahoo has warned, and is still warning some customers that some state-sponsored attackers have had accessed to their accounts by using a sophisticated cookie forging attack, which amazingly doesn’t even require obtaining user passwords.
How’s that even possible?!? *shock_emoji
The announcement by the e-mail agent follows a series of high-profile breaches reportedly suffered by this same company last year. Sometime in the month of September, year 2016, the Sunnyvale giant revealed it had suffered a massive attack affecting close to a million users. February makes it three months and yet, YAHOO could only come forward with news of another major breach and no solution to the last.
In December as well, another separate theft of one billion records, the highest record theft in history, was revealed.
Yahoo made it known that the hackers were able to get access to accounts without needing passwords after getting hold of the company’s source code used to generate cookies.
In response to the source code theft, Yahoo invalidated the cookies, effectively locking out the attackers. However, Yahoo only began sending out emails on Wednesday, as news broke that Verizon (the company buying the web giant), lowered its purchasing price for the company by $250 million as a result of the two historic hacks.
Though the intensity of the breach cannot be ascertained at the moment, it can be said with confidence that the breach puts over a billion users privacies and lives at risk.
An email sent to some account owners from Yahoo reads:
“Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”
Quite a number of users on Twitter also affirmed that they had received an identical email notification.
“The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders,” a spokesperson said while confirming that the notifications were indeed true and genuinely from YAHOO.
With these reoccurring (back-to-back) attacks, I guess it’s high time one finds another email agent.