Yahoo Quietly Informs Users of a “Forged Cookie” Attack

Yahoo has recently suffered a series of bad press announcements, mostly stemming from cyberattacks from as far back as 2013. In two separate discoveries last year, the company informed users that around  1.5 billion email accounts were believed to have been breached, making it the largest data breach in history.

Now, Yahoo is once again informing its users of a cybersecurity issue, after quietly mentioning it in an October 2016 filing with the Securities Exchange Commission and in a December 2016 security posting. According to the emailed notifications that users have received, hackers may have accessed their Yahoo accounts through “forged cookies” as recently as 2015 or 2016.

You may have come across the term “cookies” on various websites over the years, either informing you that the site uses cookies and you need to agree to it, or proudly letting you know that the site does not use cookies. What are they talking about? Cookies are little embedded files of data that the site installs on your computer when you use it. You can turn off or delete cookies through your web browser, or allow them to remain as they’re designed to give you a more personalized experience with the website. Cookies are the reason a website’s advertising might display lawn tools to one viewer and high-dollar makeup to another viewer. They’re also the reason your email or your Amazon account is already logged in when you go to those sites.

According to Yahoo’s announcements, these forged cookies were deployed by hackers and could have been used to access users’ email accounts without requiring a password. The company has now invalidated those cookies and tightened up security surrounding their use, but also recommends that all users monitor their accounts for signs of suspicious activity. One great place to start looking is in your Sent mail folder; if you see emails sent out that you don’t remember sending, your account may have been used by a hacker.

Yahoo is also warning users to be on the lookout for strange emails that tell you to click a link; never click a link in an email if you weren’t expecting it, even if it came from a sender you know (that user’s account may have been hacked). They also recommend that you ignore any emails that tell you to provide your personal information or “update” your account, no matter who the sender appears to be. Finally, Yahoo recommends enabling two-factor authentication whenever you can, as it may provide an additional layer of security.

How much information are you putting out there? It's probably too much. We are here to help you stop sharing Too Much Information. Sign up for the TMI Weekly.

Read next: Your Online Presence: The Security Pros and Cons

Pin It

Article Archives


ITRC Sponsors and Supporters 





Go to top


Need identity theft information on the go?

Download our ID Theft Help Mobile app.