Yahoo: Your Email Accounts May Have Been Hacked, Again

For the third time in less than 6 months, Yahoo has, once again, warned users that their email accounts may have been hacked.

On the day where Verizon is reportedly renegotiating its deal to acquire Yahoo at $250 less than the original amount, Yahoo has revealed that their email accounts may be compromised.

While declining to reveal the number of accounts or users affected, Yahoo has begun notifying users that their accounts may have been accessed without their knowledge between 2015 and 2016.

In an email circular sent to users today, the company stated:

Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.

These “forged cookies” were first revealed by Yahoo in December, when the company admitted to the breach of a billion user accounts. The company believes the forged cookie incident to be related to an earlier breach it reported in September, one that involved 500 million accounts.

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson confirmed in a statement. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”

To create these rogue cookies, researchers believe that malicious hackers obtained Yahoo’s source code in order to breach the internet company’s databases.

Intriguingly, Yahoo adds that the breaches were the result of a state-sponsored attack, although there is no evidence to prove this claim.

In recent times, Yahoo has admitted to a number of significant data breaches, including the 500 million accounts compromised in 2014 and up to a billion accounts – one of the largest data breaches ever – in 2013. Notably, these mega-breaches only came to light last year. As a consequence, the Securities and Exchange Commission (SEC) is now investigating Yahoo to see why the web giant waited years before disclosing the attacks.

Image credit: Pixabay.