Ya­hoo is­sues new warn­ing in hack­ing fall­out

The Hamilton Spectator - - BUSINESS - RAPHAEL SATTER

LON­DON — Ya­hoo is warn­ing users of po­ten­tially ma­li­cious ac­tiv­ity on their ac­counts be­tween 2015 and 2016 — the lat­est de­vel­op­ment in the In­ter­net com­pany’s in­ves­ti­ga­tion of a mega-breach that ex­posed one bil­lion users’ data sev­eral years ago.

Ya­hoo con­firmed Wed­nes­day it was no­ti­fy­ing users that their ac­counts had po­ten­tially been com­pro­mised but de­clined to say how many peo­ple were af­fected.

In a state­ment, Ya­hoo tied some of the po­ten­tial com­pro­mises to what it has de­scribed as the “state­spon­sored ac­tor” re­spon­si­ble for the theft of pri­vate data from more than a bil­lion user ac­counts in 2013 and 2014. The stolen data in­cluded email ad­dresses, birth dates and an­swers to se­cu­rity ques­tions.

The cat­a­strophic breach raised ques­tions about Ya­hoo’s se­cu­rity and desta­bi­lized the com­pany’s deal to sell its email ser­vice, web­sites and mo­bile ap­pli­ca­tions to Ver­i­zon Com­mu­ni­ca­tions.

The ma­li­cious ac­tiv­ity that was the sub­ject of the user warn­ings re­volved around the use of “forged cook­ies” — strings of data that are used across the web and can some­times al­low peo­ple to ac­cess on­line ac­counts with­out re-en­ter­ing their pass­words.

A warn­ing mes­sage sent to Ya­hoo users Wed­nes­day read: “Based on the on­go­ing in­ves­ti­ga­tion, we be­lieve a forged cookie may have been used in 2015 or 2016 to ac­cess your ac­count.”

Some users posted the ones they re­ceived to Twit­ter.

“Within six peo­ple in our lab group, at least one other per­son has got­ten this email,” said Joshua Plotkin, a bi­ol­ogy pro­fes­sor at the Univer­sity of Penn­syl­va­nia. “That’s just anec­do­tal, of course, but for two peo­ple in a group of six to have got­ten it, I imag­ine it’s a con­sid­er­able amount.”

Plotkin said he wasn’t con­cerned be­cause he used his Ya­hoo email for mes­sages that were “close to spam.”

In the mes­sage he posted to Twit­ter, he joked that “hope­fully the cookie was forged by a state known for such del­i­ca­cies.”

Mean­while, re­ports Wed­nes­day said Ya­hoo is near a deal to lower the price of the sale of its core In­ter­net busi­ness to Ver­i­zon by close to $300 mil­lion due to the hack­ing. The orig­i­nal deal car­ried a $4.8 bil­lion price tag.

We be­lieve a forged cookie may have been used in 2015 or 2016 to ac­cess your ac­count. WARN­ING TO YA­HOO USERS

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.