Yahoo announced on December 14th, following an investigation led by law enforcement officials in November, that the company has suffered another previously undetected data breach affecting over 1 billion accounts. Yahoo, alongside a team of outside forensic experts determined the initial breach took place in August 2013, highlighting that this attack was distinct from their previous breach this fall, a separate incident that affected some 500 million Yahoo customers.
The information accessed from the potentially compromised accounts “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo’s chief information security officer Bob Lord reported in a statement published Wednesday. “The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.”
Additionally, on September 22, Yahoo had disclosed a previously undiscovered security breach that had affected more than 500 million account holders. It’s unclear whether the information reviewed by law enforcement is connected to the previous samples of stolen accounts being sold on underground forums back in August. But the breach doesn’t end there, it gets worse.
Additionally, Yahoo’s third-party forensic experts discovered that someone had found a way to forge web browser “cookies,” allowing the attacker to gain access to the users’ accounts without ever needing to log in. “Based on the ongoing investigation we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies,” Lorge explained. “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
Yahoo’s cookie vulnerability was no surprise to the company, the issue had actually been revealed in a quarterly SEC filing dated back to October.
Authentication cookies are text files that contain information about a specific user session with Yahoo. Cookies can contain a wealth of personal information about the user, such as whether the user has already been authenticated by the company’s servers. According to Yahoo, attackers were able to forge these authentication cookies, granting them access to targeted accounts without ever needing the password. What’s striking is the cookies could have allowed attackers to stay logged in indefinitely.
Lord said that Yahoo has informed all customers whose accounts were exposed due to forged cookies, and has “invalidated” all of the cookies as well as “hardened our systems to secure against similar attacks.” As for the most recent data breach spanning some 1 billion accounts, Lord said, “We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords. We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account…We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.”
Yahoo has urged all users to change their passwords and security questions immediately, as well as change your password on any other site that you re-used your Yahoo password. This will eliminate the threat of someone reusing your Yahoo credentials on another site and gaining access to yet another account.
We would highly urge everyone to migrate away from the ever failing Yahoo email, simply because their service is outdated and insecure. Not only has the company fallen behind on basic email standards, their company has suffered data breaches more times than we can count. Not to mention Yahoo has begun to really almost weaken their account security with how easy it is to abuse secret questions. Guess them right and you’re granted a free password reset.
Not to mention the company has zero respect for privacy. Moving is easy and you can take your old email with you. Wondering who to migrate to? Be sure to check out our List of secure email providers that take privacy serious. They’re all free and the list was recently updated!
[Photo via NYPhotographic/thebluediamondgallery (CC BY-SA 3.0)]