Hackers May Have Used Cookies for Persistent Access to Yahoo Accounts

Yahoo has revealed more about the massive data breach experienced in 2014 and says that in addition to the initial hack that provided hackers with users’ credentials, those actors may also have used cookies to bypass Yahoo security measures. This would have allowed the hackers to access users’ accounts for a considerable period of time after the initial attack.

In a US Securities and Exchange Commission filing, Yahoo explained that “Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”

Yahoo is currently trying to pinpoint exactly when access to data was gained and when the hackers developed a way to get back into users’ accounts. At present, Yahoo believes that access to users’ accounts has now been blocked and the individual or individuals behind the attack can no longer gain access to users’ accounts.

It has also emerged that some individuals within the company may have been aware of the breach at the time. Yahoo has explained to regulators that the investigation is ongoing and the company is trying to ascertain whether some individuals were aware of the breach at the time and exactly how much was known.

Yahoo has also said that it has been contacted by law enforcement, which has shared data that is believed to have come from the hacker responsible for the attack, although it is not totally clear whether the data supplied by the hacker came from the 2014 breach. Yahoo said it is investigating and will “Analyze and investigate the hacker’s claim that the data is Yahoo user account data.”

The breach, which was announced in July this year, resulted in the theft of 500 million users’ credentials, making it the largest cyberattack ever reported. Earlier this year Verizon negotiated a take-over deal with Yahoo worth $4.83 billion. Verizon is due to complete in early 2017, although news of the massive hack threatens to derail the deal. Verizon has already sought a 1 billion discount on the purchase price and may even pull out altogether, especially if it turns out the Yahoo was aware of the attack, yet did not disclose this to Verizon prior to the deal being agreed.  Verizon only found out about the breach a few days before it was made public.

Yahoo is also facing a growing number of class action lawsuits from breach victims who claim to have suffered financially as a result of the breach. 23 class-action lawsuits have already been filed.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news