According to ZDNET, Yahoo has started sending out emails to its users, warning them of state-sponsored attacks. The content of the email according to the report, includes warnings about a possible breach of users’ account.
Recall that this is not the first time in recent months the company is suffering from account breaches. Back in December, virtually every single Yahoo account holder got an email notifying them of a breach, which dates back to 2013. The company said in a statement at the time that steps were already being taken to “secure those user accounts and we’re working closely with law enforcement.”
In an email sent to ZDNET by Yahoo, the company explained that state-sponsored attackers have gained access to users’ accounts, using what it regarded as sophisticated cookie forging attack. This so-called sophisticated attack, according to Yahoo, doesn’t require obtaining user passwords:
“Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account”
Not everyone has received the email yet, but the company said it is in the process of getting all users informed of the development:
“The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders,” a Yahoo spokesperson confirmed to ZDNET.
While no exact details of the number of people involved was disclosed in the email already sent to some users, the number of people affected may not be much. This is based on the fact that state-sponsored attacks are usually targeted at a small number of people.
In 2016, Yahoo confirmed in two separate statements that hackers had breached users’ accounts, but assured that investigation was ongoing at the time. The two attacks caused some ripples, and almost led to the collapse of the proposed agreements between Verizon and Yahoo. Recall that Verizon was at the time finalizing the process of acquiring Yahoo.
“I think we have a reasonable basis to believe right now that the impact is material,” Verizon General Counsel Craig Silliman said of the last data breach, speaking to a small group of reporters at a roundtable. A “material” effect in this case is one that would harm Yahoo’s financial value, and make the Web giant less attractive to purchase.”
Though, those breaches didn’t lead to the collapse of the deal, it did bring down the final amount paid by Verizon by $250 million.
Yahoo said the attackers were able to access the accounts without the use of passwords after stealing the company’s source code used in generating cookies. This led the company to invalidate cookies, which enabled it to lock out the hackers.
Questions are still being asked by everyone about how it handled previous breaches, and efforts being made to secure accounts of its users all over the world.