The Yahoo saga continues, as the company has again started notifying users of more malicious activities involving more user accounts. Apparently, attackers may have accessed user accounts via fake cookies instead of passwords. Unfortunately, the number of accounts accessed this way hasn’t been specified by Yahoo.
This may not appear surprising at all as it surfaced as a time when a series of breaches that involved Yahoo came to light. Still, the attack shouldn’t be underestimated as its implications may be more damaging than expected.
The first batch of notifications were sent to affected users in December last year, but as it appears this isnn’t the end of the saga.
According to the US Securities and Exchange Commission filling the attackers that had access to Yahoo’s network in 2015 was actually state-sponsored. The attackers created fake cookies which enabled access to accounts without needing a password. Various account details could have been accessed as well. The incidents took place in 2015 and 2016. The cookies are now invalidated.
According to Jason Hart, Vice President and Chief Technology Officer at Gemalto, this news is both surprising and expected. He also adds that:
The company recommended that users consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password. However, tools like this only work if the user remembers to activate them. Given the current security climate, all companies should have multi-factor authentication activated by default for all online accounts. Opt-in security is not an option in this day and age.