Yahoo users havea new breach notification warning that may be on the way.
Yahoo is in the process of notifying individuals affected by a previously announced hack involving forged cookies, which allowed an intruder to access people’s accounts without entering a password.
Yahoo in December said its outside forensic experts were investigating a forged cookie attack, which occurred between 2015 and 2016. The investigation connected some of that activity to the state-sponsored actor behind the 2014 theft of at least 500 million Yahoo user accounts disclosed in September.
Some users have posted on Twitter screenshots of the letter they received from Yahoo about the forged cookie attack.
Hopefully the cookie was forged by a state known for such delicacies. #yahoo #security #baking pic.twitter.com/7gCeEd3Y51
— Joshua B. Plotkin (@jplotkin) February 15, 2017
“We are writing to inform you about a data security issue that involves your Yahoo account,” the letter begins. It goes on to say that “a forged cookie may have been used in 2015 or 2016 to access your account.”
Yahoo said it has invalidated the forged cookies so they can’t be used again.