Yahoo Says Forged Cookie Attack Accessed About 32 Million Accounts (cnet.com) 30
It looks like Yahoo has yet to reach its lowest point. The company revealed today via a regulatory filing that about 32 million user accounts were accessed by hackers in the past two years using forged cookies that allowed them to log into their accounts without passwords. According to Yahoo, the attack is likely connected to the "same state-sponsored actor believed to be responsible for the 2014 [breach]," which resulted in the theft of user information from 500 million user accounts. CNET reports: "Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its annual filing to the Securities and Exchange Commission. The company went on to say that forged cookies have been invalidated to prevent further use on accounts. Yahoo revealed the attack in December but the news was largely overlooked because the company announced at the same time it had identified a separate security breach that took place in 2013 in which hackers stole information on 1 billion Yahoo accounts. Yahoo CEO Marissa Mayer also revealed today that she is giving yahoo employees her annual bonus to make up for the massive hacks.
COOOOKIE! (Score:1)
Om nom nom ...
I am safe! (Score:2)
Re: (Score:3)
If an account is taken over and nobody ever tries to log in, does it make a sound?
Re: (Score:1)
Oh please, they knew all along. They just never expected anyone else to figure it out. Do you really think "nation state" actors are the only ones smart enough to reverse-engineer a security system that relies on the user's own password being one-time encrypted into their own session cookie as a load-alleviation feature? That also includes site-wide admin accounts? Please. There's no way that the list of "third parties" doesn't include their own current and former engineers and management staff. By th
32 million (Score:3)
32 million...to put that into perspective, that's more than the population of Texas, not quite as many as the population of California.
Or, put another way, that's about the combined populations of Illinois and Pennsylvania.
Way to go, Yahoo.
That would be Californians. Texans pickup trucks (Score:2)
> If you give 32 million people (that is, each Texan) a Chevy Bolt each
That would be Californians who a) drive tiny electric cars and b) expect someone to give them a car. Texans buy their own pickup trucks.
$150K to prevent these sure looks cheap now (Score:5, Interesting)
These vulnerabilities were of course in Yahoo's major service, not some minor service few people used or thought about. In other words, Yahoo mail is probably the number one thing Yahoo should have been thinking about when it comes to security. It also appears likely that these vulnerabilities were simple enough that a dedicated security professional reviewing their systems full time would or should have caught the mistakes, or at least mitigated the risks by pointing out that passwords weren't properly salted and hashed (for the 1 billion hack). It really looks like they could have prevented these by hiring one good security professional; and somebody working remote would have cost them $150K/year, someone in California maybe $300K.
So essentially they chose to lose $350 million in value rather than prevent the losses by spending $150K-$300K on a competent security person.
Re: (Score:2)
I'd log in and fix the security settings for my yahoo mail except... I would never give it out, and it hasn't received real mail in many years. They were like gmail, before gmail.
The brand is dead, I don't see much chance of getting resources to fix it. Whatever value yahoo has is in other stuff than email.
Re: (Score:2)
No, they chose not to have a recurring cost year on year if $150k plus overhead, or roughly $300k. Plus a manager and likely a few coworkers, for maybe $1M per year.
Would have been worth it still, but you are ignorant of exactly what would be involved. Hiring one guy for all of yahoo would hardly be effective.
Add in third party teams providing support and access, and you have a huge cost center for no observable gain. Unless the CIO can sell the plan. And that's the CIO's job. Why don't we see that head rol
This level of stupid on their primary service (Score:2)
They *should* have had a good security team as you describe.
There is a reason I pointed out these are simple, obvious mistakes on their primary service - including not hashing passwords properly, and doing authentication cookies wrong. These are things we check for if a customer orders a $500 security assessment. (Which is basically Nessus + our own scripts + an hour of manual investigation). Problems of this level are the things one engineer should find in a cheap assessment that takes just a couple hou
Re: (Score:2)
They're like 1990's Microsoft
How many active accounts? (Score:2)
I have one Yahoo account I still use for junk and 1 or 2 more that I don't use.