This is why I quit using Yahoo Mail six months ago! How many times is enough? This time it’s forged cookies! Thankfully, I didn’t get that additional notification from Yahoo that my account was targeted. Whew! A close call, but you can never be sure. Anyways, here’s the message I received this morning.
We are writing to inform you about a data security issue that involves your Yahoo account. We have taken steps to secure your account and are working closely with law enforcement.
Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account. We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016. Those users targeted by the state-sponsored actor were sent an additional notification like the one found here: https://help.yahoo.com/kb/
We invalidated the forged cookies and hardened our systems to secure them against similar attacks. We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.
We encourage you to follow these security recommendations:
- Review all of your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.
For More Information
For more information about this issue and our security resources, please visit the Yahoo Account Security Issue FAQs page available at https://yahoo.com/security-
Protecting your information is important to us and we work continuously to strengthen our defenses.
Chief Information Security Officer