SAN JOSE, Calif. — Yahoo is warning some users that their accounts have been compromised, after the firm’s investigation turned up evidence that intruders infiltrated Yahoo accounts by using forged cookies.
And that’s bad news for Yahoo account holders, cybersecurity experts said. The fact that attackers created viable forged cookies indicates they stole critical parts of Yahoo’s network infrastructure, said Chris Roberts, chief security architect at cybersecurity firm Acalvio. Bad actors can use that data to access users’ accounts and then apply an automated system to mine users’ data for information of value.
“Financial records, health care records, privacy information — all go to different sets of buyers,” Roberts said.
Although Yahoo said it had invalidated the forged cookies so they couldn’t be used again, the hackers, once they’d penetrated Yahoo’s network, could have created another way in that the company hasn’t discovered, said Peter Nguyen, head of technical services at LightCyber, a cybersecurity company.
It was not immediately clear how connected the malicious account activity was to the two record-setting hacks of users’ data Yahoo disclosed last year. The company said in December that the problem with forged cookies — data strings used to connect users with websites — had been identified separately from the firm’s probe into the hacks. But Yahoo said the state-sponsored actor it believes responsible for the smaller of the two huge data breaches was involved in some of the forged-cookie intrusions.
“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” Yahoo said in a statement Wednesday. “The investigation has identified user accounts for which we believe forged cookies were taken or used.
“Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”
Yahoo’s security investigations are nearly finished, and the firm has notified a “reasonably final list” of affected users about the cookie-related compromises, a person familiar with the situation said Wednesday.
The firm did not disclose how many user accounts were compromised by the forging of Yahoo’s cookies.
LightCyber’s Nguyen believes the forged cookies represented the first step on the way to the data breaches of some half billion user accounts in one instance and more than a billion in the other. The cookies were the attackers’ means of getting into Yahoo’s system to discover and then steal data of value, Nguyen said.
The disclosure from Yahoo came as its shaky sale to Verizon moved onto firmer ground Wednesday, after reports indicated the price has dropped by $250 million to $300 million.
The reported discount, stemming from the revelations last year about the huge hacks, is significantly lower than the $1 billion many analysts believed would be taken off the price.
And news that Verizon would pay less for the struggling Sunnyvale, Calif., tech giant also suggested that the sale would go ahead in spite of data-breach fallout including lawsuits and potential damage to Yahoo’s brand.
“It certainly brings it closer to reality,” said Pivotal Research analyst Brian Wieser.
Yahoo put itself up for sale in February 2016 and in July accepted Verizon’s $4.8 billion bid. But disclosures from the company soon threw the deal into jeopardy.
In September, Yahoo announced that at least 500 million user accounts had been hacked in 2014. Names, email addresses, phone numbers, dates of birth, scrambled passwords and security questions answers may have been stolen, the company warned. Yahoo said it had discovered the hack through a “recent investigation.” Verizon called the data breach “material” to its purchase of Yahoo. Analysts began questioning the viability of the sale, and predicting that if it did go through, Verizon would receive a deep discount.
Then in November, a Securities and Exchange Commission filing by Yahoo revealed that contrary to its statement about a recent investigation, it knew in 2014 that it had been hacked, but withheld the information from the public and regulators for nearly two years. Yahoo said in the filing that the Verizon sale was at risk because of the data breach.
And that lapse in cybersecurity soon looked paltry in the face of Yahoo’s disclosure in December that hackers in 2013 had stolen the same kinds of personal data from more than a billion user accounts.
Verizon’s most recent statement on the Yahoo purchase said it was still assessing fallout from the larger data breach.
The theft of Yahoo users’ personal data has spawned more than two dozen lawsuits from users, all of them seeking class-action status.
On Wednesday, the Wall Street Journal reported that Verizon would get about $300 million off the sale price of Yahoo, and Bloomberg reported the discount would amount to about $250 million.
Pivotal’s Wieser had expected a $1 billion discount.
“It’s positive for Yahoo shareholders, certainly, if the number is more like $300 million,” Wieser said. “That’s certainly positive for Yahoo. It’s positive for Verizon, too, getting the deal out of the way and moving on.
“It’s time to put legacy Yahoo out of its misery.”
-Tribune News Service
Our editors found this article on this site using Google and regenerated it for our readers.
