How Hackers Used 'Forged Cookies' To Access Yahoo Accounts: No Password Needed [Analysis]
However, a recent announcement from Yahoo gives users, most especially those affected by hacking, a clear and scary picture of just what kind of advanced techniques hackers are using to steal data.
Latest Yahoo Data Breach Involved 'Forged Cookies'
Yahoo is not even out of the dog house for the massive data breaches it confirmed in September 2016 when 500 million users were compromised. But it has received yet another blow just two months later when the company announced a breach that compromised the data of 1 billion users.
In a round of announcements on Feb. 15, Yahoo notified account owners who may have possibly been affected by the massive data breach in 2015 and 2016 that counterfeit cookies were used by malicious state-sponsored hackers to access accounts.
NOTE: This is all without the need for passwords or answers to security questions.
"[Our] outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password [...] We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016," Yahoo explained in a security notice in December last year.
The company confirmed that it sent notifications to users affected by the December 2016 breach, as identified by outside forensic experts, but it declined to say how many victims the experts had identified.
A Twitter user and compromised Yahoo account owner posted a photo of the notification he received from the company.
— Joshua B. Plotkin (@jplotkin) February 15, 2017
What Are Forged Cookies?
Cookies are strings of computer data saved in user devices. They allow websites to identify a user or device that accesses it and that respective user's preferences, such as language and other identifiable information. For a simple explanation, watch the video below.
There are, however, some cookies that enable users to log in to their accounts without the need to keep typing in their passwords, and these are what the hackers forged to crack open accounts.
What Has Yahoo Done So Far Against Forged Cookies?
Yahoo claims its experts have invalidated the forged cookies, never to be used again.
While the action is welcome, it is honestly too little and too late because too many user accounts have been compromised regardless of the "strength" of passwords and security questions which, in the first place, were supposed to be a user's line of defense against possible hackers.
Another thing, the same type of attacks have already been identified in Yahoo's October 2016 SEC filing, so for the same type of attack to happen months later may be an oversight on the company's part.