Yahoo announced one of the biggest ever security breaches with 1 billion user accounts compromised. This was a separate incident from the September disclosure with 500 million accounts being compromised. The first disclosed breach actually occurred in 2014, while the breach disclosed in December took place way back in 2013. While cycling passwords and using strong passwords is always a good idea, it would not have helped in this particular breach.
A state sponsored actor is believed to be involved in a third breach, one where user accounts have been accessed with forged cookies over the course of 2015 to 2016. The accounts were compromised using fake cookies that did not require passwords for authentication. Unknown parties spoofed cookies and accessed user accounts, and a security agency is contacting these accounts directly and has invalidated the forged cookies. The parties had access to Yahoo’s proprietary code for generating these fake cookies. Yahoo has not disclosed the number of accounts compromised with forged cookies.
If you have been affected, Yahoo would have sent an email directly to your address. A Yahoo icon will be displayed next to the email from Yahoo to indicate that the source of the email is authentic. The icon does not show up on emails that are not from Yahoo. In the wake of a breach, user accounts are more susceptible to social engineering attacks and phishing scams, so be weary of such emails.
The compromised account details include, names, email addresses, telephone numbers, date of birth, hashed passwords and for some accounts, encrypted and unencrypted security questions as well as answers. The hashed passwords cannot be easily accessed though, and Yahoo has since moved on to the stronger and more secure hashing mechanism provided by bcrypt. Unencrypted security questions and answers are invalidated and can no longer be used to access accounts. Forged cookies have also been invalidated.
Users can change their passwords and security questions, in the edit profile interface. Yahoo encourages users to change the passwords, security questions, and answers for other accounts that use similar login credentials. The single most secure way of accessing your Yahoo account is through the Yahoo Account Key, which is simply a form of two-step authentication that requires the Yahoo app on your phone. There is no password, a code is sent to an associated mobile phone, to gain access to the account.
No comments:
Post a Comment