Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Says Forged Cookie Attack Accessed About 32 Million Accounts (cnet.com)

Posted by BeauHD on from the gets-worse-before-it-gets-better dept.

It looks like Yahoo has yet to reach its lowest point. The company revealed today via a regulatory filing that about 32 million user accounts were accessed by hackers in the past two years using forged cookies that allowed them to log into their accounts without passwords. According to Yahoo, the attack is likely connected to the "same state-sponsored actor believed to be responsible for the 2014 [breach]," which resulted in the theft of user information from 500 million user accounts. CNET reports: "Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its annual filing to the Securities and Exchange Commission. The company went on to say that forged cookies have been invalidated to prevent further use on accounts. Yahoo revealed the attack in December but the news was largely overlooked because the company announced at the same time it had identified a separate security breach that took place in 2013 in which hackers stole information on 1 billion Yahoo accounts. Yahoo CEO Marissa Mayer also revealed today that she is giving yahoo employees her annual bonus to make up for the massive hacks.

1 of 30 comments (clear)

  1. $150K to prevent these sure looks cheap now by raymorris · · Score: 5, Interesting

    These vulnerabilities were of course in Yahoo's major service, not some minor service few people used or thought about. In other words, Yahoo mail is probably the number one thing Yahoo should have been thinking about when it comes to security. It also appears likely that these vulnerabilities were simple enough that a dedicated security professional reviewing their systems full time would or should have caught the mistakes, or at least mitigated the risks by pointing out that passwords weren't properly salted and hashed (for the 1 billion hack). It really looks like they could have prevented these by hiring one good security professional; and somebody working remote would have cost them $150K/year, someone in California maybe $300K.

    So essentially they chose to lose $350 million in value rather than prevent the losses by spending $150K-$300K on a competent security person.