February 17, 2017 by

Yahoo: Your Email Accounts May Have Been Hacked, Again

For the third time in less than 6 months, Yahoo has, once again, warned users that their email accounts may have been hacked.

On the day where Verizon is reportedly renegotiating its deal to acquire Yahoo at $250 less than the original amount, Yahoo has revealed that their email accounts may be compromised.

While declining to reveal the number of accounts or users affected, Yahoo has begun notifying users that their accounts may have been accessed without their knowledge between 2015 and 2016.

In an email circular sent to users today, the company stated:

Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.

These “forged cookies” were first revealed by Yahoo in December, when the company admitted to the breach of a billion user accounts. The company believes the forged cookie incident to be related to an earlier breach it reported in September, one that involved 500 million accounts.

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson confirmed in a statement. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”

To create these rogue cookies, researchers believe that malicious hackers obtained Yahoo’s source code in order to breach the internet company’s databases.

Intriguingly, Yahoo adds that the breaches were the result of a state-sponsored attack, although there is no evidence to prove this claim.

In recent times, Yahoo has admitted to a number of significant data breaches, including the 500 million accounts compromised in 2014 and up to a billion accounts – one of the largest data breaches ever – in 2013. Notably, these mega-breaches only came to light last year. As a consequence, the Securities and Exchange Commission (SEC) is now investigating Yahoo to see why the web giant waited years before disclosing the attacks.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Canadian Hacker Pleads Guilty to Yahoo Breach Instigated by Russia

A Canadian national accused by the United States of helping Russian intelligence agents breach into...

Read more arrow_forward

Yahoo! Still Doesn’t Know Cause Behind Biggest Data Breach Ever

Former Yahoo CEO Marissa Mayer has admitted that the web giant still doesn’t know the cause behind...

Read more arrow_forward

Yahoo: All 3 Billion Accounts Impacted by 2013 Data Breach

Yahoo has announced that the massive data breach in August 2013 has affected every single user of...

Read more arrow_forward