View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 16, 2017updated 22 Feb 2017 4:49pm

More bad news for Yahoo as hackers strike yet again

The security nightmare shows no sign of ending for Yahoo - with this latest security issue involving cookie forging.

By Ellie Burns

Hackers are certainly rubbing salt into the wounds of Yahoo, with the tech giant warning customers that a sophisticated cookie forging attack could have given state-sponsored hackers access to their accounts.

Just two months after disclosing a mega data breach had compromised the accounts of one billion users, Yahoo has not yet confirmed how many user accounts may be affected by this latest security issue. A notification email sent by Yahoo to users said:

“Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”

A yahoo spokesperson said: “The investigation has identified user accounts for which we believe forged cookies were taken or used.

“Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”

Yahoo cookie forging cyberattack

According to reports in the Guardian, Yahoo first reported the cookie forging in November 2016, further outlining the issue in a security update in December 2016. However, users have only been notified this week.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

In what is the latest in a long line of cyber security problems for Yahoo, it remains to be seen if this latest security issue will impact the huge amount of users seen in previous breaches.

2016 saw the tech giant disclose two major breaches, with a 2014 breach compromising 500 million accounts, and a 2013 hack hitting one billion user accounts. Although bank and payment information was not stolen, names, phone numbers, passwords and email addresses were all taken in the attacks.

The cyber security nightmare which Yahoo finds itself in could not have come at a worse time, with the tech company in the midst of an acquisition deal with Verizon. The initial deal on the table had a price tag of $4.8 billion, with Verizon looking to acquire Yahoo’s internet properties.

However, after the disclosure of the first data breach, Verizon’s general counsel Craig Silliman said that it was “reasonable” for Verizon to believe that the impact of the breach was “material”. This refers to specific legal language in the deal that says Verizon can withdraw if an event occurs which “reasonably can be expected to have a material adverse effect on the business, assets, properties, results of operation or financial condition of the business.”

READ NOW:Is Verizon, Yahoo deal set for £2bn data breach discount?

Further reports suggested that Verizon was looking for a $1 billion price reduction in the acquisition deal, with the New York Post reporting that this move was being met with fierce resistance from Yahoo.

Latest reports suggest that Verizon has secured a discount on the acquisition deal, slashing the asking price by $250 million.

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.