Yahoo is warning some customers that state-sponsored attackers have accessed their accounts by using a sophisticated cookie forging attack, which doesn't require obtaining user passwords.The notice is a continuation of the company's response to a series of historic data breaches announced last year.
An email from Yahoo forwarded to ZDNet said:
"Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account."
A handful of others on Twitter also confirmed they had received an identical email notification.
Yahoo confirmed the notifications were genuine.
"The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders," a spokesperson confirmed...