Heads up, Yahoo users: a new breach notification warning may be on the way.
Yahoo is in the process of notifying individuals affected by a previously announced hack involving forged cookies, which allowed an intruder to access people's accounts without entering a password.
Yahoo in December said its outside forensic experts were investigating a forged cookie attack, which occurred between 2015 and 2016. The investigation connected some of that activity to the state-sponsored actor behind the 2014 theft of at least 500 million Yahoo user accounts disclosed in September.
Today, a Yahoo spokesperson told PCMag that investigators have "identified user accounts for which we believe forged cookies were taken or used." The company is now working to notify all potentially affected account holders. Yahoo declined to specify how many people it believes were affected.
Some users have posted on Twitter screenshots of the letter they received from Yahoo about the forged cookie attack.
Hopefully the cookie was forged by a state known for such delicacies. #yahoo #security #baking pic.twitter.com/7gCeEd3Y51
— Joshua B. Plotkin (@jplotkin) February 15, 2017
Related
- The Best Password Managers of 2017The Best Password Managers of 2017
"We are writing to inform you about a data security issue that involves your Yahoo account," the letter begins. It goes on to say that "a forged cookie may have been used in 2015 or 2016 to access your account."
Yahoo said it has invalidated the forged cookies so they can't be used again.
The news comes after Yahoo in December also disclosed a separate hack which occurred in August 2013 that affected more than one billion accounts. That incident compromised names, email addresses, telephone numbers, birthdates, passwords, and security questions and answers, according to Bob Lord, Yahoo's chief information security officer. It might also put Yahoo's Verizon deal in jeopardy, according to reports.