Yahoo is telling some of its users that hackers may have logged into their accounts, using a forged “cookie” which gives access even without a password.
According to CNET, the attack was originally announced in September, but has largely been overlooked until now as the revelation was included within a larger announcement about a Yahoo security breach considered the largest in history.
Yahoo said it had connected some of the cookie-based attacks to the “same state-sponsored actor” believed to be responsible for one of the other hack.
It’s unclear why some of the users are receiving the notification now, months after Yahoo first disclosed the cookie attacks.
Cookies are used to store personal information in the browser, so you don’t have to type in your user information again. Yahoo said in its September announcement that “an unauthorised third party accessed the company’s proprietary code to learn how to forge cookies.”
Yahoo’s spokesperson sent the following statement in response to this story:
“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password. The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders. Yahoo has invalidated the forged cookies so they cannot be used again.”