Yahoo confirmed it was notifying some users of sophisticated cyber attacks aimed to compromise their accounts.
The hackers are adopting hacking methods to forge “cookies” or files used in the authentication process, instead of stealing their passwords.
The IT giant disclosed the alarming data in response to the massive data breach disclosed last year that created serious problems for the company.
Yahoo has sent the notifications to “a reasonably final list” of users that were potentially affected, the message sent via email reads:
“we believe a forged cookie may have been used in 2015 or 2016 to access your account.”
“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” the company said in a statement.
“The investigation has identified user accounts for which we believe forged cookies were taken or used.”
The attackers forged cookies that “could allow an intruder to access users’ accounts without a password,” said the email to users. The notification was signed by Bob Lord, Yahoo’s chief information security officer.
In October, a former company executive revealed the number of affected user accounts in the Yahoo data breach may be between 1 Billion and 3 Billion.
In December Yahoo admitted crooks have stolen details of more than a billion user accounts. In 2013, hackers broke into the systems of Yahoo and accessed one billion user accounts containing names, addresses, phone numbers, and hashed passwords easy to crack. The passwords were protected with MD5 hashing algorithm that is easy to crack, the leaked data also include some encrypted and cleartext security questions and answers have been compromised too.
The data breaches suffered by Yahoo had an impact on the sale of the company to telecom giant Verizon for $4.8 billion. Initially, Verizon requested a discount of 1 Billion of the price, now it seems that the two companies had agreed to discount the price by $250 million to $300 million following disclosure of the data breach.
(Security Affairs – cybercrime, data breach)