The general consensus on 2016 is that it’s been a rather rubbish year – and it just got worse for Yahoo.
Earlier in the year Yahoo revealed that its servers had been breached and that data for some 500 million accounts had been compromised. The company has now revealed that it suffered what it believes to be a separate breach of its servers in August 2013 and says that more than one billion accounts were compromised.
The user data that has been compromised includes names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5 encryption) as well as security questions and answers which may or may not be encrypted.
Yahoo has said that payment data, bank account information and passwords in plain text were not compromised by the breach.
The ominous cookie monster
The breach, according to Yahoo, came by way of cookies. “Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies,” Yahoo chief information security officer, Bob Lord said in a blog post.
These cookies are believed to have been used to grant an attacker access to a users account without them needing a password.
Affected users have been notified of the breach and the forged cookies have been revoked.
Once again, Yahoo has said that it believes that the breach was executed by state-sponsored attackers. “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” said Lord.
Given the severity of this breach we advise anybody that has ever used a Yahoo account to change their passwords and security questions, especially if you happen to recycle those authentication methods or use similar information.
[Source – Yahoo]