Yahoo tells users they were hit with cookie attack

And it hasn't even offered them milk. Yahoo revealed the attack in December, but it was buried by news of its 2013 security breach -- the biggest one on record.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

Yahoo notified users Wednesday who were affected by a hacking attack that logged into their accounts without passwords.

Justin Sullivan, Getty Images

Yahoo users found out Wednesday that hackers used a technical trick with cookies to log into their accounts without passwords.

"Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account," Yahoo users were told in an email.

Yahoo revealed the attack in December but the news was largely overlooked. The company made the announcement at the same time it revealed a separate security breach that took place in 2013, in which hackers stole information on 1 billion Yahoo accounts.

This little cookie attack didn't stand a chance of getting noticed when standing right next to the biggest data breach on record, even though it used a sophisticated technique that's a little frightening.

Here's how it works: Instead of stealing your passwords, hackers trick a web browser into telling Yahoo you'd already logged in. It's better than "open sesame."

In order to do this, hackers need to forge little web browser tokens called cookies. You use cookies whenever you log into a service and check that box that says "keep me logged in," or, "remember me." Even if you close the window, you won't have to log back in because the cookie stored by your browser tells the service that you already submitted your username and password.

Yahoo said in a statement Tuesday that it was notifying people that they were affected by this attack as it continued its investigation.

"As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password," a Yahoo spokesperson said. "The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders."

The statement also said Yahoo has invalidated the forged cookies. Yahoo declined to comment on why some users are receiving a notification that they were affected by the attack two months after the hack was first announced.

In its original statement on the cookie attack, Yahoo said the group behind the attack was likely state-sponsored, which means hackers on the payroll of a foreign government might have been behind the whole thing. It's the same group of hackers Yahoo thinks stole user information on 500 million user accounts in 2014.

Virtual reality 101: CNET tells you everything you need to know about VR.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.