Attackers Accessed Yahoo Email Users Accounts Without Passwords Using Forged Cookies

Yahoo can’t seem to stay out of the news lately. The tech giant is now warning some customers that attackers accessed their accounts without using a password by using a sophisticated cookie forging attack.

Emails from Yahoo to customers were forwarded to ZDNet.com and detailed in this story:

“Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”

The attacks have been labeled as “state sponsored,” which is to say they are motivated by strategic gains (oftentimes political, commercial or military interests of their country of origin) that aren’t necessarily financial.

ZDNet.com contacted Yahoo who confirmed the authenticity of the notifications:

“The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders,” according to a spokesperson who didn’t reveal how many customers are affected.

Yahoo revealed in September more than 500 million records had been stolen and then in December admitted more than one billion records were stolen in a separate incident.

The rise of state sponsored attacks has caught both U.S. businesses and the government off guard, as detailed in this Wall Street Journal story that ran in September, 2016.

 

Are you covered for identity theft?
Get Covered