Yahoo warns users about malicious activity in accounts
SAN JOSE — Yahoo is warning some users that their accounts have been compromised, after the firm’s investigation turned up evidence that intruders infiltrated Yahoo accounts by using forged cookies.
And that’s bad news for Yahoo account holders, cybersecurity experts said. The fact that attackers created viable forged cookies indicates they stole critical parts of Yahoo’s network infrastructure, said Chris Roberts, chief security architect at cybersecurity firm Acalvio. Bad actors can use that data to access users’ accounts and then apply an automated system to mine users’ data for information of value.
“Financial records, health care records, privacy information — all go to different sets of buyers,” Roberts said.
Although Yahoo said it had invalidated the forged cookies so they couldn’t be used again, the hackers, once they’d penetrated Yahoo’s network, could have created another way in that the company hasn’t discovered, said Peter Nguyen, head of technical services at LightCyber, a cybersecurity company.
It was not immediately clear how connected the malicious account activity was to the two record-setting hacks of users’ data Yahoo disclosed last year. The company said in December that the problem with forged cookies — data strings used to connect users with websites — had been identified separately from the firm’s probe into the hacks. But Yahoo said the state-sponsored actor it believes responsible for the smaller of the two huge data breaches was involved in some of the forged-cookie intrusions.
“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” Yahoo said in a statement Wednesday. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”
Yahoo’s security investigations are nearly finished, and the firm has notified a “reasonably final list” of affected users about the cookie-related compromises, a person familiar with the situation said Wednesday.