Clever hackers don’t even need your password to access your account

Here we go again.

Yahoo is warning some of its users that hackers may have used forged cookies — small files that websites create to store your information — to log into their accounts, thus gaining access without a password.

Forging. Cookies.

The attack, which was originally announced in a security update in December 2016, took place between 2015 and 2016. It’s the latest in a series of cybersecurity issues faced by the tech company.

Yahoo forensic experts have been investigating the creation of forged cookies linked to state-sponsored hackers that “could have enabled an intruder to access our users’ accounts without a password.”

“The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again,” said a statement.

A source familiar with the investigation said notifications have gone out to a reasonably final list of users. So there’s a good chance you already know about this.

The process for creating these cookies is quite sophisticated — and rather worrying.

While many hackers would just try to steal your passwords, these smart guys forged cookies that would dupe a web browser into telling Yahoo you had already logged in.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s