Yahoo Quietly Informs Users of a “Forged Cookie” Attack
Yahoo has recently suffered a series of bad press announcements, mostly stemming from cyberattacks from as far back as 2013. In two separate discoveries last year, the company informed users that around 1.5 billion email accounts were believed to have been breached, making it the largest data breach in history.
Now, Yahoo is once again informing its users of a cybersecurity issue, after quietly mentioning it in an October 2016 filing with the Securities Exchange Commission and in a December 2016 security posting. According to the emailed notifications that users have received, hackers may have accessed their Yahoo accounts through “forged cookies” as recently as 2015 or 2016.
According to Yahoo’s announcements, these forged cookies were deployed by hackers and could have been used to access users’ email accounts without requiring a password. The company has now invalidated those cookies and tightened up security surrounding their use, but also recommends that all users monitor their accounts for signs of suspicious activity. One great place to start looking is in your Sent mail folder; if you see emails sent out that you don’t remember sending, your account may have been used by a hacker.
Yahoo is also warning users to be on the lookout for strange emails that tell you to click a link; never click a link in an email if you weren’t expecting it, even if it came from a sender you know (that user’s account may have been hacked). They also recommend that you ignore any emails that tell you to provide your personal information or “update” your account, no matter who the sender appears to be. Finally, Yahoo recommends enabling two-factor authentication whenever you can, as it may provide an additional layer of security.
How much information are you putting out there? It's probably too much. We are here to help you stop sharing Too Much Information. Sign up for the TMI Weekly.