Your forum username:
Do you already have an account?
Forgot your password?
  • Log in or Sign up


    Welcome to Sky User - The Unofficial Support Forum for everything Sky! - Proudly helping over 65k members.


    Advertisement

    Results 1 to 4 of 4

    Haven't deleted your Yahoo account yet? Reminder: Hackers forged login cookies

    This is a discussion on Haven't deleted your Yahoo account yet? Reminder: Hackers forged login cookies within the General Computing and Internet forums, part of the Community channel category; https://www.theregister.co.uk/2017/0...kie_hack_risk/ We're! not! even! bothering! with! exclamation! mark! this! time! Yahoo ! is reminding folks that hackers broke into its ...

    1. #1
      Scubbie's Avatar
      Scubbie is offline Sky User Moderator
      Exchange: 02392
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Q Hub ER110
      Sky TV: Sky+HD box
      Join Date
      Mar 2010
      Location
      Near Portsmouth
      Posts
      28,064
      Thanks
      828
      Thanked 2,205 Times in 2,074 Posts

      Haven't deleted your Yahoo account yet? Reminder: Hackers forged login cookies

      https://www.theregister.co.uk/2017/0...kie_hack_risk/
      We're! not! even! bothering! with! exclamation! mark! this! time!


      Yahoo! is reminding folks that hackers broke into its systems, and learned how to forge its website's session cookies. That allowed the miscreants to log into user accounts without ever typing a password.

      In warnings emailed out this week, the troubled web biz said accounts were infiltrated in 2015 and 2016 using forged cookies. It quietly admitted this security blunder back in December, although only now is drawing more attention to it. At the end of last year, it told investors:

      The company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.

      That September, Yahoo! admitted personal account records of more than 500 million users may have been swiped by hackers. Three months later, it confessed that a separate network breach in 2013 may have exposed the account credentials of one billion users.

      Yahoo!'s security controls and its incident response handling have been the focus of intense criticism from third-party security experts, which has continued on in the wake of the latest revelations.

      Chris Boyd, malware intelligence analyst at Malwarebytes, said: "It's fair to say that many Yahoo! users must already be feeling 'incident fatigue', given the frequency these stories seem to crop up. The sense of confusion – 'Haven't I heard about this one and taken steps already?' - can lead to people becoming complacent with regards updating login, or worse, simply not bothering to shore up defences.

      "It's essential all Yahoo users roll up their sleeves and continue to use secure passwords and enable two-step verification. While this clearly won't save them in all circumstances, it is still certainly better than nothing," he added.

      Tony Pepper, chief exec and co-founder of data security company Egress, said: "Yahoo has clearly been under systematic attack for quite some time and, aside from questions about its historic ability – or lack thereof – to spot breaches, this incident raises a whole host of concerns about the state of data security in general.

      "The fact that the hackers were able to access accounts without the need for passwords is a serious issue. We routinely rely on passwords to protect our data and privacy, and red flags are now being raised. Consumers and businesses alike must be encouraged to turn on things like two-factor authentication wherever possible and keep a close eye on their accounts," he added.

      Jason Hart, CTO of data protection at Gemalto, commented: "While it is ‘news’ that Yahoo is making another announcement about a breach, it shouldn’t be surprising. Opt-in security is not an option in this day and age.

      "The company recommended that users consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password. However, tools like this only work if the user remembers to activate them. Given the current security climate, all companies should have multi-factor authentication activated by default for all online accounts," he added.

      Andy Norton, risk officer EMEA at endpoint protection company SentinelOne, said: "Yahoo said in its announcement that an ongoing forensic investigation suspects that the attacker had access to proprietary code to learn how to forge cookies. This would show new behaviours other than just stealing user databases, the attackers have also looked at alternative methods to infiltrate Yahoo users accounts."

      "Yahoo – and other email providers – would be a target if they are providing services to regime dissidents or investigative journalists – essentially any user who poses a perceived threat to a current regime," he added.


    2. Advertisement
    3. #2
      lettice's Avatar
      lettice is offline Sky User Member
      Exchange: 0.4 mile away and cabinet 350 yards
      Broadband ISP: Sky Fibre Max
      Router: ER110UK Sky Q hub
      Sky TV: SkyQ2tb + minis
      Join Date
      Jun 2011
      Location
      England
      Posts
      2,034
      Thanks
      12
      Thanked 191 Times in 182 Posts

      Re: Haven't deleted your Yahoo account yet? Reminder: Hackers forged login cookies

      Yahoo email or even Yahoo should be condemned to history.
      But whether you like it or not, you have a yahoo account tied in with your sky id.
      Never used the sky isp yahoo email service, but the id and its yahoo relationship is a worry frankly.
      Not sure where Sky stands with all this and where is the two factor authentication on Sky?

    4. #3
      Scubbie's Avatar
      Scubbie is offline Sky User Moderator
      Exchange: 02392
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Q Hub ER110
      Sky TV: Sky+HD box
      Join Date
      Mar 2010
      Location
      Near Portsmouth
      Posts
      28,064
      Thanks
      828
      Thanked 2,205 Times in 2,074 Posts

      Re: Haven't deleted your Yahoo account yet? Reminder: Hackers forged login cookies

      Sky has a different login system which is apparently quite tough.

      As for dumping Yahoo! emails, that's a no brainer for many people. Yahoo! Groups, for a start, benefits from having a Yaho! email account.

      Sky Fibre Unlimited Pro: Connected at 80,000 kbps / 20,000 kbps
      Previous ADSL2+ Speed 19999 kbps 1153 kbps, Line Attenuation 17.5 db 6.9 db, Noise Margin 7.5 dB 8.7 dB
      Speedtest: 17.15MB/s 0.97Mb/s Ping 31 ms

    5. #4
      James_Mitchell's Avatar
      James_Mitchell is offline Sky User Member
      Exchange:
      Broadband ISP: Sky Fibre Unlimited Max
      Router: Sky Q Hub
      Sky TV: Sky+HD box
      Join Date
      Jan 2011
      Posts
      756
      Thanks
      43
      Thanked 50 Times in 47 Posts

      Re: Haven't deleted your Yahoo account yet? Reminder: Hackers forged login cookies

      Sky don't even have 2 step verification so can't be that good!!

     

     

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •  
    SkyUser - Copyright © 2006-2017. SatDish and NewsreadeR | SkyUser is in no way affiliated with Sky Broadband / BSkyB
    RIPA NOTICE: NO CONSENT IS GIVEN FOR INTERCEPTION OF PAGE TRANSMISSION