TOUGH COOKIE
Yahoo breach of 1B users linked to malware
YAHOO WARNED some of its users Wednesday of potential malicious activity on their accounts in 2015 and 2016.
The breach involves forged cookies — strings of data that can be used to access users’ accounts without a password, Yahoo said in a notification email.
It’s unclear how many people were affected by the malicious activity.
Yahoo believes some of the potential compromises are connected to the unspecified “state-sponsored actor” responsible for the theft of private data from more than 1 billion user accounts, a breach that was announced in September.
“The investigation has identified user accounts for which we believe forged cookies were taken or used,” Yahoo said in a statement. “Yahoo is in the process of notifying all potentially affected account holders.
Yahoo invalidated the forged cookies “so they cannot be used again,” the company added.
An investigation is ongoing, Yahoo said.
The massive breach raised questions about Yahoo’s security and destabilized the company’s deal to sell its email service, websites and mobile applications to Verizon Communications.
A warning message sent to Yahoo users Wednesday read: “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”
Some users posted the messages they received to Twitter. “Within six people in our lab group, at least one other person has gotten this email,” said Joshua Plotkin, biology professor at the University of Pennsylvania. “That’s just anecdotal, of course, but for two people in a group of six to have gotten it, I imagine it’s a considerable amount.”
Plotkin said he wasn’t concerned a because he used his Yahoo email for messages that were “close to spam.” In a message he posted to Twitter, he joked that “hopefully the cookie was forged by a state known for such delicacies.”
Last month, Yahoo said Chief Executive Officer Marissa Mayer would step down from the board after the conclusion of its deal with Verizon.
Five other directors were also to resign after the deal closes.
But Verizon’s $4.83 billion deal for Yahoo’s core internet assets came under renewed scrutiny by federal investigators and lawmakers after Yahoo disclosed the September data breach, the largest known in history.
That month, a New York man sued on behalf of all Yahoo users in the U.S. whose personal information was compromised.