back to article Haven't deleted your Yahoo account yet? Reminder: Hackers forged login cookies

Yahoo! is reminding folks that hackers broke into its systems, and learned how to forge its website's session cookies. That allowed the miscreants to log into user accounts without ever typing a password. In warnings emailed out this week, the troubled web biz said accounts were infiltrated in 2015 and 2016 using forged …

  1. Anonymous Coward
    Anonymous Coward

    I've asked Yahoo to delete my account years ago...

    ... but were my data actually wiped, or they kept a record of them, and they were stolen anyway?

    1. imanidiot Silver badge
      Meh

      Re: I've asked Yahoo to delete my account years ago...

      The fact you have to ask is probably answer enough...

  2. chivo243 Silver badge

    Don't worry

    Yahoo! can't find their ass with both hands, I think you're data is probably safe from Yahoo! anyway! The intruders already have it...

  3. Anonymous Coward
    Anonymous Coward

    Consumers and businesses alike must be encouraged to turn on things like two-factor authentication wherever possible

    No, I am not giving that bunch of idiots my phone number, it'll get stolen in the next hack (isn't there one due round about now?).

    The company recommended that users consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password.

    Yahoo Account Key also needs your phone number, if they really had your security in mind this would not be necessary.

    Also, it's doubtful this advice works, it seems that hackers can just manufacture session cookies without any need to log in. That's how shit Yahoo is.

    1. Anonymous Coward
      Anonymous Coward

      Yahoo and phone numbers

      They still have mine from the days when Vodafone would not let you take yours with you when you left.

      Fat lot of good that will do the hackers.

      I use it only for throw away emails so I really don't care that much.

      Oh and it has emails from a few {cough, cough} dodgy sites (not pron by the way) but to do with body modification. I was using for research for a novel honest officer.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yahoo and phone numbers

        They still have mine from the days when Vodafone would not let you take yours with you when you left.

        Fat lot of good that will do the hackers.

        I use my Google Voice number for anything that absolutely needs one (and I don't have GV/hangouts set to receive calls). And if Google ever absolutely needed my phone number I have a Talkatone one.

    2. Eddy Ito

      it'll get stolen in the next hack (isn't there one due round about now?)

      Don't worry, they'll tell us about last weeks hack in a few months or years, if they're still around.

    3. Anonymous Coward
      Anonymous Coward

      Cookies

      We use cookies (well, really auth cookies) that way in our company.. but then again, we are a small company, so we are not spreading bad practices.

      This sounds more like "they got our private key", so they can sign anything.

  4. Anonymous Coward
    Anonymous Coward

    Until we fine

    the CEO say, 75% of their annual income, bonuses or actually lock them up, *nothing* is going to change except the onus of security being put *squarely at the users doorsteps.

    You cant blame users for having crap passwords when sites don't have a common system, like how one site insists on a min of 10 chr$, upper AND lower case, numbers and a symbol where as website B will let you use "password" as a password.

    1. Little Mouse

      Re: Until we fine

      Or website "C" - VirginMedia:

      10 characters maximum. Alphanumeric only - No special characters allowed.

      1. m0rt

        Re: Until we fine

        "alohanumeric" ?

        This mean only letters found in Hawaii?

        Anyway - try creating passwords on their Super Router 3, or whatever it is. Have to choose over 8 long, must have special characters, Capitals, Numbers, emoji, grandmother's maiden name, the second letter of the day of your birth, last 6 digits of your entire DNA sequence, IQ divided by BMI * blood alcohol level taken at midnight on new years day 6 years ago.

        1. Little Mouse

          Re: Until we fine

          "alohanumeric" ?

          Oops - fixed!

          1. John Gamble
            Coat

            Alohanumeric (was Re: Until we fine)

            No, wait, that's perfect!

            My next password checker will definitely insist on alohanumeric characters. It's just that the password will have to be at least 25 characters long.

            1. IglooDude

              Re: Alohanumeric (was Until we fine)

              ...and at least twenty of them have to be vowels.

              (I lived in a town there named "Aiea".)

        2. Syx

          Re: Until we fine

          And not only that, but when you try to log into the admin panel you CANNOT obscure the password by default meaning it's visible to anyone reading over your shoulder. Good one VM.

  5. IglooDude

    I think it's fair to say that (except for a few poor bastards that for whatever reason can't extricate themselves from needing the specific email address), anyone still using Yahoo email at this point has no concern for their account's security anyway, and 2FA or anything else isn't going to get a lot of participation.

  6. 0laf

    Final straw

    I finally closed my Yahoo a few months ago after one of my friends called up to say they were getting spam from it. I'd not really used it for a while but I was reluctant to clsoe it since it was my very first email account and I'd had it since 1995.

    But I'd changed the password to some 15 character monstrosity from a password manager so even I didn't know what it was yet it still got nailed (wasn't spoofed there were some other hints about that).

  7. Doctor Syntax Silver badge

    Is it a coincidence that this just surfaced after they're supposed to have reached a new agreed price with Verizon?

    1. Anonymous Coward
      Anonymous Coward

      Is it a coincidence that this just surfaced after they're supposed to have reached a new agreed price with Verizon?

      Soon they'll have to *pay* Verizon to take them... You know, the "IBM Method".

  8. Kevin Johnston

    Oh dear

    What scares me is that we have stopped being surprised when this happens. These are technology companies who cannot manage simple security activities and treat their customers' data with contempt.

    Comments above suggest various measures to try to stop this but there is so much aggressive apathy (Yes I know that is an oxymoron) from the companies involved that even if some Government Monitor tried to fine them it is hard to see them having the bottle to make it a big enough number to change things.

    1. P. Lee

      Re: Oh dear

      >These are technology companies who cannot manage simple security activities and treat their customers' data with contempt.

      I think you've misunderstood who the customers are. Their customers are the ones paying for the advertising. Who are you?

  9. Anonymous Coward
    Anonymous Coward

    Wait a minute!

    This has nothing to do with passwords. No matter how crap they were, the bad guys were able to bypass them altogether. So why push me to two-factor authentication ?

    1. creepy gecko
      Devil

      Re: Wait a minute!

      To make it seem that they're doing something about the problem?

      The fact that the 2FA approach doesn't appear to solve the forged cookies is not their concern, at the moment. At least Yahoo can claim they have responded to the attack.

      Icon for Yahoo management.

    2. Captain DaFt

      Re: Wait a minute!

      "So why push me to two-factor authentication ?"

      To gather even more information (valid phone #) about their users, to sweeten the pot for the sale, and oops... share with the hackers.

      My Yahoo! account is strictly for websites that insist on one, there's minimal info in it, and none that's actual.

      2FA? With them? Pah! When >name< >password< no longer works, I'll just start using one of my other throw away accounts elsewhere.

    3. Anonymous Coward
      Anonymous Coward

      @AC

      "So why push me to two-factor authentication ?"

      Well, one thing though: you don't always need to provide extra info for that. There are also systems which can show a specific image which you can then scan with your phone (or snap a pic and use a program) which will extract the code which you need to provide.

      Other than that you're absolutely right of course!

  10. phuzz Silver badge
    Happy

    I technically still have a Yahoo address, in that I originally had a Rocket Mail address. Then when they were bought by Yahoo to become Yahoo mail, they said that all existing customers would have an account for life.

    I've not used that address in at least fifteen years, but it makes me smile knowing that a tiny fraction of electricity and disk space is being wasted by yahoo, just collecting spam for me, that I will never look at.

    1. IglooDude
      Happy

      You should post the address here, so we can all use it for spam-inducing activities.

  11. jay_bea

    Flickr

    The focus of the discussions of Yahoo has been email, but they operate a number of other services, including Flickr, which use the same login credentials as Yahoo. If they are using the same authentication systems, does that mean that Flickr is also vulnerable to the forged session cookies?

    1. ~chrisw

      Re: Flickr

      One would assume that to be the case, given Yahoo! imposed their common authentication system onto Flickr a couple of years ago. More worryingly this means those who infiltrated their systems had access to a massive database of personal photos (for those who use the mobile app to sync personal photos) along with associated geolocation info. Very worrying. Imagine the profile a state actor could build on a potential target.

  12. Anonymous Coward
    Anonymous Coward

    My Yahoo account? Hell, I haven't used Yahoo since this exciting new start-up search engine called Google appeared.

    How many years ago was that now? Would they still have my data?

    Doesn't really matter if they did, only the email was ever real, and that email has long since gone...

  13. Ken Moorhouse Silver badge

    Commencing 20 May 2008...

    I did some investigation for a client who had evidence to suggest that his Yahoo account had been exploited (emails being sent to contacts in his address book, purportedly from him). My conclusion at the time was that there was an API in existence (for developers) which could be used to run a dictionary attack on Yahoo account logins without either the user being aware, or Yahoo locking them out.

    This Yahoo controversy has been going on a lot longer than everyone is making out.

  14. maxregister

    "We're! not! even! bothering! with! exclamation! mark! this! time!"

    god bless you, The Register

  15. rtb61

    Your Hire a M&M and You Get An M&M

    Now it is pretty clear why the M&M was being demoted out of Google. Only really good at stealing other people's ideas and claiming them as it's own, wow, it really managed to grind Yahoo into oblivion.

  16. Potemkine Silver badge

    "state!-sponsored! actor!"

    Which one? Just to be sure....

  17. The Eee 701 Paddock
    Thumb Down

    "Why haven't you deleted your Y! account yet?"

    If I had a tenner for every time an article here has asked this question (or implied it) in the last few years, I could probably go away for a nice spa weekend or something, to calm down...

    There is one reason, and one alone, why I still have a Y! account: Flickr. I'm a Pro account holder; I've been one for over a decade; have 1000s of pics in my account (some of which only exist there AFAIK (yes, I KNOW, more the fool me, etc.))... and call me weird, but I actually LIKE the way Flickr works (esp. the auto-upload from the iPhone app). If Flickr could be liberated from its current ownership, I'd drop my Y! account so fast it would exceed the pull of gravity, and I feel sure thousands of users would follow suit.

    I'd practically bet real moolah that Y! knows this, which is why I fear Flickr will have to be crowbarred out of its owner's cold, dead mitts...

  18. Just Enough

    "It's essential all Yahoo users roll up their sleeves and continue to use secure passwords and enable two-step verification."

    It's funny, but if I was a Yahoo user my priorities would be entirely elsewhere. Like rolling up my sleeves and stop being a Yahoo user.

  19. dajames

    Forgotten but not gone?

    I have a Yahoo account dating from when Freecycle was run as a Yahoo Group. An article on El Reg, a few months ago, reminded me that I should close it down.

    I tried to log in, and my password was rejected. Hmm. Maybe they've reset it in the wake of all the infiltration we've been hearing about. I Request a password reset.

    The next thing I get is an EMail from Yahoo to my non-Yahoo EMail address (which they must have got from my Yahoo account records) containing a one-time login link. I follow the link to Yahoo and try to set a new password. At this point Yahoo tells me in no uncertain terms that it can't create a new password for that account because the account does not exist.

    What a bunch of utter clueless wankers!

  20. JCitizen
    Coffee/keyboard

    Yahoo! bit the big one for me long ago..

    When Yahoo! held hostage accounts "synchronized" with AT&T, that was the last straw for me, way back in 2005. We had email through Yahoo! in some of our offices, where that was the only way we could provide services for remote offices. We didn't have them on our head office server yet, because they didn't have the necessary router, or broadband for such a connection. We were on a budget and unless the community population and/or services met a certain category, we didn't use our company email server.

    After we switched from AT&T to a broadband service that had just been built in one of the far flung communities, we discovered all email was going to be lost because Yahoo/AT&T refused to release it as a web based email again. Yahoo! and AT&T were both sued over this and lost in court but it was too late for our hapless remote offices. We had to rebuild from scratch, and we never forgot about that. Never again will I or anyone I know, recommend Yahoo for web based email again, even though now - you can supposedly free it up after that court case. They really stuck it in the dirt with treating so many people that way. And then they wonder why their market share keeps going down.

    There is nothing more irritating than having to delete Yahoo! as a search engine in everyone's browsers too!! It keeps coming back and taking over the browser like that 'Ask' tool bar that was finally declared a PUP a few years ago. You cannot engender good will acting like this, but Yahoo! never seems to get it. Just like A-Hole, er I mean AOL did years ago. The pestilence will finally be eradicated by their continued bad behavior, and everyone jumping ship like a bunch of drowning rats! Thankfully we finally instituted Outlook Web Access 2003 email for remote dial up offices, so we could get an SSL connection and still use our central server to control our remote offices. Never again will we ever trust an outsider like that for email service - besides I would bet that the HIPAA regulations have by now blocked using such insecure services now anyway.

  21. Florida1920
    Pint

    'incident fatigue'

    Is what you get every time you read about Yahoo!, Adobe et al.

    Cure ---------------------------------------->

  22. fredesmite

    Why is yahoo cesspool is around ?

    someone please flush the toilet

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like