Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Yahoo! Communications Privacy The Internet

Yahoo Says Forged Cookie Attack Accessed About 32 Million Accounts (cnet.com) 30

It looks like Yahoo has yet to reach its lowest point. The company revealed today via a regulatory filing that about 32 million user accounts were accessed by hackers in the past two years using forged cookies that allowed them to log into their accounts without passwords. According to Yahoo, the attack is likely connected to the "same state-sponsored actor believed to be responsible for the 2014 [breach]," which resulted in the theft of user information from 500 million user accounts. CNET reports: "Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its annual filing to the Securities and Exchange Commission. The company went on to say that forged cookies have been invalidated to prevent further use on accounts. Yahoo revealed the attack in December but the news was largely overlooked because the company announced at the same time it had identified a separate security breach that took place in 2013 in which hackers stole information on 1 billion Yahoo accounts. Yahoo CEO Marissa Mayer also revealed today that she is giving yahoo employees her annual bonus to make up for the massive hacks.
This discussion has been archived. No new comments can be posted.

Yahoo Says Forged Cookie Attack Accessed About 32 Million Accounts

Comments Filter:
  • by Anonymous Coward

    Om nom nom ...

  • I know for sure I am safe, because I haven't logged in to Yahoo in a while...
  • by JustAnotherOldGuy ( 4145623 ) on Wednesday March 01, 2017 @08:47PM (#53959115) Journal

    32 million...to put that into perspective, that's more than the population of Texas, not quite as many as the population of California.

    Or, put another way, that's about the combined populations of Illinois and Pennsylvania.

    Way to go, Yahoo.

  • by raymorris ( 2726007 ) on Wednesday March 01, 2017 @08:54PM (#53959153) Journal

    These vulnerabilities were of course in Yahoo's major service, not some minor service few people used or thought about. In other words, Yahoo mail is probably the number one thing Yahoo should have been thinking about when it comes to security. It also appears likely that these vulnerabilities were simple enough that a dedicated security professional reviewing their systems full time would or should have caught the mistakes, or at least mitigated the risks by pointing out that passwords weren't properly salted and hashed (for the 1 billion hack). It really looks like they could have prevented these by hiring one good security professional; and somebody working remote would have cost them $150K/year, someone in California maybe $300K.

    So essentially they chose to lose $350 million in value rather than prevent the losses by spending $150K-$300K on a competent security person.

    • I'd log in and fix the security settings for my yahoo mail except... I would never give it out, and it hasn't received real mail in many years. They were like gmail, before gmail.

      The brand is dead, I don't see much chance of getting resources to fix it. Whatever value yahoo has is in other stuff than email.

    • No, they chose not to have a recurring cost year on year if $150k plus overhead, or roughly $300k. Plus a manager and likely a few coworkers, for maybe $1M per year.

      Would have been worth it still, but you are ignorant of exactly what would be involved. Hiring one guy for all of yahoo would hardly be effective.

      Add in third party teams providing support and access, and you have a huge cost center for no observable gain. Unless the CIO can sell the plan. And that's the CIO's job. Why don't we see that head rol

      • They *should* have had a good security team as you describe.

        There is a reason I pointed out these are simple, obvious mistakes on their primary service - including not hashing passwords properly, and doing authentication cookies wrong. These are things we check for if a customer orders a $500 security assessment. (Which is basically Nessus + our own scripts + an hour of manual investigation). Problems of this level are the things one engineer should find in a cheap assessment that takes just a couple hou

  • I have one Yahoo account I still use for junk and 1 or 2 more that I don't use.

You know you've landed gear-up when it takes full power to taxi.

Working...