Yahoo Investigates Cookie Powered Password Bypass Hack

Yahoo is investigating a claim that a hacker created the means to access its users’ account data without needing their passwords.

In a filing to the US Securities and Exchange Commission Yahoo said that law enforcement agencies began sharing information they indicated was provided by the hacker who claimed it was account data from their users.

It is unclear whether this hacker and the data relates to the massive data leak Yahoo recently suffered or new leaked data.

Yahoo said its investigation has it looking into whether the hacker could have gained access to the data by creating website ‘cookies’ that allowed normal password protection to be bypassed, though a according to the Financial Times, a source familiar with the issue said Yahoo does not believe it is possible for hackers to forge valid Yahoo Mail cookies.

Yahoo hack saga

The past couple of months have been tough for Yahoo after the data of 500 million of its users was leaked following a data breach back in 2014.

The major data leak came at a time when the company is in the process of being acquired by Verizon, which has caused the US telecoms giant to voice concerns over material impact the breach may have on its $4.8 billion deal to purchase Yahoo.

The latest part of the data breach saga now has an independent committee of Yahoo’s board investigating how much knowledge the company’s staff had of the 2014 data breach.

Yahoo claimed it became aware of the breach in August 2016, around a month after it reached a purchase deal with Verizon. But the filing suggests some of its employees may have known about the data breach around two years earlier.

“The Company had identified that a state-sponsored actor had access to the Company’s network in late 2014,” the filing noted.

“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.”

If the company’s employees did know about the breach well ahead of the data leak, then it could have damming results for both the company’s reputation and its acquisition deal with Verizon.

Yahoo’s relationship with cyber security is already fairly strained, with researchers noting its certificate security is still poor despite the impact of the data breach, so any further revelations of potential negligence could leave the company in disgrace.

How well do you know network security? Try our quiz and find out!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

2 days ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

2 days ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

2 days ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

3 days ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

3 days ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

3 days ago