Yahoo hack warning: What happened and should you be worried?
Yahoo has warned customers that cyber attackers may have compromised their accounts in the past two years, finally alerting them about malicious activity it has known about for months.
The warning, which has been issued to affected customers, says hackers may have been able to access their accounts without knowing the password. The attackers are believed to have stolen Yahoo’s source code and used it between 2015 and 2016 to create forged cookies, allowing them to login to users’ accounts without their details.
“We are writing to inform you about a data security issue that involves your Yahoo account,” the warning from Bob Lord, Yahoo chief information security officer, begins. “Our outside forensics experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password.
“Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 and 2016 to access your account.”
The problem is separate to the two major data breaches Yahoo disclosed last year that involved the loss of personal information from 1.5 billion user accounts in 2013 and 2014. Yahoo believes, however, that the “state-sponsored actor” it attributed the 2014 hack to may also be behind the cookie attack.
Yahoo first said it was investigating the “forged cookie” problem when it disclosed the second, larger hack of 1 billion accounts in December. In a filing at the end of last year it said, “the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies”. It is not clear why it has taken the company two months to contact affected customers.
Yahoo said: “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”
The warnings come as Yahoo’s deal with Verizon draws to a close. The telecoms giant is going ahead with plans to buy the internet business arm of Yahoo despite the two historic data breaches. After almost being derailed, Verizon is expected to knock around $250 million off the price of the $4.8 billion deal, which could close in the coming weeks.
I have a Yahoo account, should I be worried?
If you have a Yahoo account you should check to see if you have received the warning message. As the company is in the process of alerting all affected customers, users should be vigilant in checking for a warning and following security recommendations for now. The company said it has alerted almost all affected users but its investigations are ongoing.
Yahoo has now fixed the problem, though, so accounts should no longer be at risk.
Those who have already been affected could be targeted by fraudsters looking for personal and financial information.
If Yahoo has contacted you about the security problem you should follow the advice in the email. This includes reviewing all of your accounts for suspicious activity and being cautious when opening and responding to unsolicited communications.
Fraudsters could use the basic information they may have gleaned to extract more details from victims, such as credit card information.
The best way to protect against fraud online is to use strong and unique passwords, be extra suspicious when receiving unsolicited messages, and to never click on links or open attachments in messages that could be fake. Users are advised to never respond to calls, emails or text messages asking for personal information.
It is also recommended that you change your passwords and security questions for any accounts that used the same or similar details to those used on Yahoo. It is advisable to never use the same password more than once, and to use a password manager such as LastPass or Yahoo Account Key to prevent yourself from forgetting them.
How to delete your Yahoo account
- Go to edit.yahoo.com/config/delete_user and log in to your email as normal
- If you sign in using a phone number visit this page instead and do the same
- Read the information carefully under the heading “Before continuing, please consider the following information”
- Confirm your password
- Select “Terminate this account”
- The page will display a message that says “Terminating your Yahoo account”