Haven’t deleted your Yahoo account yet? There’s a new forged cookie hack risk

Yahoo! has issued a new warning of potentially malicious activity in user accounts.

Hackers used forged cookies to access users’ accounts without a password between 2015 and 2016.

Last September, Yahoo! admitted that the personal data of more than 500 million users might have been stolen by hackers. Three months later, in December, it admitted that a separate breach in 2013 might have exposed the account credentials of one billion users. Yahoo!‘s security controls and its incident response handling have been the focus of intense criticism from third-party security experts, which has continued on in the wake of the latest revelations.

Chris Boyd, malware intelligence analyst at Malwarebytes, said: “It’s fair to say that many Yahoo! users must already be feeling ‘incident fatigue’, given the frequency these stories seem to crop up. The sense of confusion – ‘Haven’t I heard about this one and taken steps already?’ – can lead to people becoming complacent with regards updating login, or worse, simply not bothering to shore up defences.

“It’s essential all Yahoo users roll up their sleeves and continue to use secure passwords and enable two-step verification. While this clearly won’t save them in all circumstances, it is still certainly better than nothing,” he added.

Tony Pepper, chief exec and co-founder of data security company Egress, said: “Yahoo has clearly been under systematic attack for quite some time and, aside from questions about its historic ability – or lack thereof – to spot breaches, this incident raises a whole host of concerns about the state of data security in general.

“The fact that the hackers were able to access accounts without the need for passwords is a serious issue. We routinely rely on passwords to protect our data and privacy, and red flags are now being raised. Consumers and businesses alike must be encouraged to turn on things like two-factor authentication wherever possible and keep a close eye on their accounts,” he added.

Jason Hart, CTO of data protection at Gemalto, commented: “While it is ‘news’ that Yahoo is making another announcement about a breach, it shouldn’t be surprising. Opt-in security is not an option in this day and age.

“The company recommended that users consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password. However, tools like this only work if the user remembers to activate them. Given the current security climate, all companies should have multi-factor authentication activated by default for all online accounts,” he added.

Andy Norton, risk officer EMEA at endpoint protection company SentinelOne, said: “Yahoo said in its announcement that an ongoing forensic investigation suspects that the attacker had access to proprietary code to learn how to forge cookies. This would show new behaviours other than just stealing user databases, the attackers have also looked at alternative methods to infiltrate Yahoo users accounts.”

“Yahoo – and other email providers – would be a target if they are providing services to regime dissidents or investigative journalists – essentially any user who poses a perceived threat to a current regime,” he added. ®

Source: The Register – Security @ February 16, 2017 at 07:36AM