Yahoo has issued a new warning to account holders about malicious hacks linked to a third data breach that the company disclosed late last year.
The warning relates to more recent malicious activity targeting accounts between 2015 and 2016, most likely perpetrated by a "state actor", according to Yahoo. Specifically, the hacks are said to have been achieved by using "forged" cookies – the text-based keys that give web users access to username and password information without having to re-enter it – created by software stolen from within Yahoo's internal systems.
A message was sent to affected Yahoo users on Wednesday, warning them of the unauthorized access to their account, but Yahoo did not reveal how many people were notified.
Hopefully the cookie was forged by a state known for such delicacies. #yahoo #security #baking pic.twitter.com/7gCeEd3Y51 — Joshua B. Plotkin (@jplotkin) February 15, 2017
"As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password," a Yahoo spokesperson told Associated Press. "The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again."
Back in September, Yahoo revealed that hackers had stolen the personal data of "at least" 500 million users, but by December, the internet company admitted that over one billion Yahoo user accounts had been compromised in a separate hack dating back to August 2013. Information stolen included names, email addresses, phone numbers, birth dates, hashed passwords, security questions and answers.
The internet company is currently under investigation from the Securities and Exchange Commission over its failure to disclose its massive data breaches sooner.
