Yahoo customers are left defenceless as hackers bypass passwords thanks to forged cookies.

Yahoo has been plagued with problems lately, many of them stemming from years-old data breaches that were only recently discovered and announced. Due to what’s being hailed as the largest data breach in history with more than one billion user accounts compromised, the corporate office has had to notify users of the loss of their account passwords; more than that, they’ve struggled to keep the Verizon buyout on the table, with the asking price already dropping due to these security issues.



Now, Yahoo is quietly reaching out to individual users to let them know that additional breaches of their accounts may have occurred due to “forged cookies.” These attacks let hackers gain access without needing their passwords, which means that anyone who changed their password out of routine security habit since 2013 may not be able to rest easy after all once the two original data breaches were announced.

In a statement to USA TODAY, Yahoo said the investigation into the breach “has identified user accounts for which we believe forged cookies were taken or used.  Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”

After quietly informing the SEC last October in accordance with the requirements for their deal with Verizon, the company has now taken to informing affected users one by one. While Yahoo won’t disclose how many users were affected by this rather old form of attack, they did have the following recommendations for anyone who receives the breach notification:

  • Review all of your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.

“Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.”

User response to Yahoo Account Key, the company’s own two-factor authentication, has been spotty. Most of the complaints stem from using it in conjunction with a mobile device and the headache of trying to use your own apps after signing up. The real problem for many of the naysayers has been that deciding to abandon the service is not straightforward.