On December 14, 2016, Bob Lord, Yahoo’s Chief Information Security Officer, announced an unknown third party had used forged cookies to enter the Yahoo account of more than one billion users without requiring the password.
According to Bob Lord, Yahoo does not know who the thieves are, but they are working with security agencies and private contractors to find the group behind the massive breach.
Yahoo thinks the thieves had access to the personal information including names, email addresses, phone numbers, and even security questions. However, the company believes the bank information is safe.
Bob Lord explained Yahoo kept the payment card data and bank account information in a different system which they “believe was not affected,” but it’s clear Yahoo is not completely sure whether the hackers got its users baking data.
Yahoo is living every tech company nightmare
The statement explains an unidentified law enforcement agency got in contact with Yahoo’s senior staff. The officials gave the organization a series of data files which an unknown third party claimed had Yahoo user data.
Lord’s team carried out the pertinent analysis on the information and even hired forensic experts to get a second opinion on the files. To their horror and disbelief, the data confirmed the breach of more than one billion user accounts.
So far, Yahoo’s Information security team has not identified the people behind the hack, but thanks to the forensic contractors, the company thinks they know how the hackers accessed their users’ accounts.
The forensic experts told Yahoo, the unauthorized third party stole the organization’s proprietary codes and used them to forge cookies. With them, they could access all the accounts without requiring the password.
A phantom group is terrorizing Yahoo
Bob Lord said he believed the same group that forged the cookies was behind the event the company reported on September 22. In that opportunity, Yahoo said a group of hackers had compromised more than 500 million accounts.
The FBI believes a group of Russian hackers was behind the September breach, but they have not presented conclusive evidence yet.
Starting today, Yahoo is encouraging its mail users to update their personal information and change their passwords, especially if they used the same pin on other companies’ services life Facebook or Hotmail.
Bob Lord announced his team had invalidated the forged cookies, so the attackers cannot use them again to steal more information. He added all Yahoo users would need to change their security questions in the coming days.
It seems clear Yahoo cannot provide its users one of the most important things on the net: Privacy. The company is on the verge of a merger with Verizon, but after the September breach and today’s announcement, that scenario seems unlikely.