Yahoo discovered that hackers -apparently state-sponsored- accessed the company’s proprietary code to learn how to forge cookies. These forged cookies could allow the hackers to access a person’s account without need for a password. The company says they have invalidated the forged cookies but honestly, it’s too little too late. The same ‘state-sponsored’ hackers are believed to have carried out the data breach of 500 million accounts we reported about in September. Not that it absolves Yahoo of anything. Failure to inform it’s users of the security of their data is tantamount to a breach of trust. After the last breach, I frankly saw no more reason to keep my account. Read up on How to delete your Yahoo email in our last Yahoo breach post. We frankly can’t imagine there’s any more credibility left in Yahoo’s security capabilities. We have reproduced the statement below in part, but you can read it in full on Businesswire. As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016. For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected. Yahoo is notifying potentially affected users and has taken steps to secure their accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
