It's a Cookie Theft! Yahoo Announced Sophisticated Way Hackers Stole Data in 2013 Breach

Yahoo is notifying some users that their cookies were stolen. No, not by Cookie Monster, but by whomever perpetrated the breach that was announced in December 2016, occurred in 2013, and affected 1 billion Yahoo users.

The notice that is going out contains links opening this news event into a perfect phishing opportunity. Your safest bet is to never click on an unexpected or unknown link. If you want to go to a website, use a bookmark in your browser, manually enter it, or search it. Links can be spoofed and so can email address.

Cookies are little bits of corresponding text between a user's device and a website. They are used to authenticate users and can track a user’s movement around the site or prevent the user from re-entering information over and over on frequently visited sites. This information could be login IDs, zip codes, or even theme settings. Most cookies are temporary and deleted once the session ends (session cookies), but others, such as those you give the site permission to save, such as perhaps your login ID and password, can stick around for a long time (persistent cookies) and these are the ones that Yahoo says were forged in order to get access to these accounts. The hacker(s) didn’t even need to know passwords in this case. They just copied them from the cookies.

You can delete or clear your cookies anytime you wish. Depending on your browser, the process should be very simple. Just search for the instructions and clear them out. Just keep in mind that many of your cookies were set up by you to make life simpler, so know that if you do this, you may have to re-enter data on a few of your favorite sites. Once they are cleared, you can check your cookie settings to be sure you are prompted anytime a website is requesting to use a cookie.

If you are a Yahoo user who has still not changed his or her password since these latest breaches were announced, take a moment to do that now. It’s a good idea to change passwords on a regular basis and considering how often sites are invaded these days, quarterly is becoming a better and better idea. When doing so, make sure that upper and lower case letters are used, a special character is included, as well as at least one number. Make sure all passwords are at least eight characters long whenever possible.

It's also not a great idea to save your passwords for online accounts. It may not be desirable to keep re-entering them, but it's much safer. In fact, if ever offered multi-factor authentication (MFA) for accounts such as email and online banking, take advantage of it. Then even if a hacker does get your cookies, he or she still can't get into your account because your MFA code will still be needed.

Yahoo says it is nearing the end of its investigation of the 2013 breach and notifying those that were affected by the forged cookies. It’s uncertain what advice they will provide in those notifications, but likely changing passwords will be part of it.

If you think that a data breach doesn’t affect a business’ value, think again. Because of the combined breaches announced last year affecting 1.5 billion users, it might have saved Verizon a lot of money in its bid to buy Yahoo. It has been reported that the offer has decreased by $250 to $300 million.

© Copyright 2017 Stickley on Security