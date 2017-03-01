Yahoo Says Forged Cookie Attack Accessed About 32 Million Accounts (cnet.com) 16
It looks like Yahoo has yet to reach its lowest point. The company revealed today via a regulatory filing that about 32 million user accounts were accessed by hackers in the past two years using forged cookies that allowed them to log into their accounts without passwords. According to Yahoo, the attack is likely connected to the "same state-sponsored actor believed to be responsible for the 2014 [breach]," which resulted in the theft of user information from 500 million user accounts. CNET reports: "Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its annual filing to the Securities and Exchange Commission. The company went on to say that forged cookies have been invalidated to prevent further use on accounts. Yahoo revealed the attack in December but the news was largely overlooked because the company announced at the same time it had identified a separate security breach that took place in 2013 in which hackers stole information on 1 billion Yahoo accounts. Yahoo CEO Marissa Mayer also revealed today that she is giving yahoo employees her annual bonus to make up for the massive hacks.
I am safe! (Score:2)
Re: (Score:1)
Oh please, they knew all along. They just never expected anyone else to figure it out. Do you really think "nation state" actors are the only ones smart enough to reverse-engineer a security system that relies on the user's own password being one-time encrypted into their own session cookie as a load-alleviation feature? That also includes site-wide admin accounts? Please. There's no way that the list of "third parties" doesn't include their own current and former engineers and management staff. By th
32 million (Score:2)
32 million...to put that into perspective, that's more than the population of Texas, not quite as many as the population of California.
Or, put another way, that's about the combined populations of Illinois and Pennsylvania.
Way to go, Yahoo.
$150K to prevent these sure looks cheap now (Score:2)
These vulnerabilities were of course in Yahoo's major service, not some minor service few people used or thought about. In other words, Yahoo mail is probably the number one thing Yahoo should have been thinking about when it comes to security. It also appears likely that these vulnerabilities were simple enough that a dedicated security professional reviewing their systems full time would or should have caught the mistakes, or at least mitigated the risks by pointing out that passwords weren't properly sal