This attack is a little more difficult to track because it has nothing to do with malware that captures users’ passwords, for example. What happened here is that the attackers had access to software linked to Yahoo’s security systems and, based on it, generated cookies that tell the service that a user has already logged in. In this way, the accounts could be accessed without using passwords. Yahoo has been doing its best to maintain discretion on the issue. The company even confirmed the press about the invasions but did not disclose how many accounts were hit. The news has only become public because some users have spread the alert email on social networks.

— Joshua B. Plotkin (@jplotkin) February 15, 2017 The company had known about this form of hacking since last year when security experts discovered the vulnerability that allows the use of forged cookies to access accounts. After that, Yahoo followed the protocol: it warned the affected users and reinforced the security to avoid new attacks of this type (at least that is what the company says). Because there are still users being notified, it’s possible that the problem was more likely than Yahoo expects or that the company is having difficulty identifying the affected accounts. In the e-mail, the company gives notice that undue access was made in 2015 or 2016. The vulnerability that allowed the cookie system to be accessed was exploited in 2014, apparently. This sequence of security issues and management bottlenecks have put Yahoo in the most delicate position on the market. The solution is the sale of the company: in July 2016, the US operator Verizon signed an agreement to buy part of Yahoo for $4.83 billion.

Δ

New Yahoo Hack Warning  Hackers Didn t Even Need Your Password To Hack Your Account - 67New Yahoo Hack Warning  Hackers Didn t Even Need Your Password To Hack Your Account - 64New Yahoo Hack Warning  Hackers Didn t Even Need Your Password To Hack Your Account - 69