Yahoo on Wednesday announced its third breach in less than six months – some users’ accounts were unknowingly accessed from 2015 to 2016. The news came just months after the multinational tech company confirmed more than one billion accounts had been infiltrated through a 2013 security breach. Last September, Yahoo revealed that a similar attack in 2014 targeted 500 million users.
It’s unclear how many people were affected by the 2015 to 2016 hack.
The 23-year-old company can hardly be recognized from two decades ago, when it was the most popular starting point for anyone surfing the web.
“This third breach announcement by Yahoo is extremely worrisome,” cybersecurity expert Kenneth Holley told us Thursday. “This specific breach revolves around the use of forged cookies in order to access user accounts without the need for a password – such a compromise would require the attackers to have access to the Yahoo source code for their cookie creation, even more worrisome.”
Holley is the co-founder of Shield Logic, a Washington, D.C.-based cybersecurity firm that provides web protection for US federal, state and local governments. He is also the CEO of Information Systems Integration, a company that launched just one year before Yahoo.
The recently announced hack used forged cookies to bypass users’ passwords and gain access to their accounts.
“Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account,” Yahoo said Wednesday in an email sent to users.
The incident could likely mean two things, according to Holley – either Yahoo’s security defenses have been completely breached, or data was leaked from inside the company.
“It is clear that Yahoo continues to suffer the ramifications of a poor security architecture,” Holley added. “One also has to be concerned as to exactly how the cookie source code came into the hands of attackers – a leak from the inside or a full blown compromise of their infrastructure.”
Many companies aren’t as secure as they think, Kevin Haley, director of Symantec Security Response, told us Thursday.
“It’s critical that companies follow industry best practices now before it’s too late. This includes implementing multi-layered security, data loss prevention, encryption and strong authentication to safeguard company data,” he advised. “But even with the best security, it can happen. Consider cyber insurance. The cost of breaches can be extremely high, almost always higher than companies anticipate.
Either way, it’s bad news for Yahoo.
“At this point I would doubt that Yahoo, or its eventual purchaser, can do much to regain user trust,” Holley said. “These are serious compromises and I would recommend that any Yahoo account user seriously consider moving on.”