Yahoo has announced yet another breach of its customers’ user data, testing the limits of even large companies’ ability to shrug off PR disaster after torturous PR disaster. For a company that makes the majority of its money off users activity, the near-constant narrative that they mishandle user data will be difficult to overcome — even if they keep blaming foreign states.
When the first major Yahoo breach was reported in September of last year, Yahoo immediately said that it had been a “state-sponsored” attack. It affected more than a billion users, revealing everything from personal data to security question responses.
Earlier breaches, however, occurred in 2013 and 2014, while this Wednesday some Yahoo users began receiving emails warning them that: “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.”
The “forged cookie” mention in the warning simply means that the hackers managed to get their hands on copies of users’ Yahoo cookies. With these in hand, the hackers could, rather than log in, simply be logged in, without ever having to enter or even know the user’s password. It allowed them to load Yahoo directly into the user’s account, the same thing that happens when legitimate users visit a site between mandatory logins.
Yahoo says that this breach, too, was the result of a state-sponsored attack. That is, of course, very possible, but it also seems to imply that state- sponsored attacks ought to be more forgivable. There’s some logic to this since states have greater resources than pure criminal hackers, and because Russian or Iranian or even North Korean state hackers are far less likely than regular criminals to charge new a new pair of $600 Slovakian rainboots to your credit card.
But the “state-sponsored” label is now being presented as something like an excuse, as Yahoo looks to a future in which their name is synonymous with security weakness. There are rumblings that this scandal could affect a potential deal with Verizon.
The scope of the attack is not yet known, but the AP reports that among a single 6-person research group at the University of Pennsylvania, at least two have received the warning.