Yahoo has again popped up in the news as they disclosed yet another security breach. This one happened more recently than the 2014 breach reported last September and the 2013 breach reported in December. This “potential compromise” to Yahoo accounts occurred in 2015 and 2016 due to the misuse of a standard tracking technology – cookies – to get into accounts without having to type in a username or password.
How did this happen, and what are cookies anyway?
A cookie is a small text file made up of random letters and numbers that acts as an ID tag on a computer browser. The cookie contains information such as the URL of the website that created the cookie, the length of time that the cookie will exist, and what information the cookie is supposed to interact with. The cookie is created by a website and placed on your browser or computer hard drive. It cannot access your programs and files on your device. The cookie doesn’t contain software that performs an action on your computer, but it does communicate back to the website that gave you the cookie.
The cookie acts as a memory, storing information about what pages on a website you visited and what you did while you were there.
Cookies are usually helpful as we browse a website. They are used to track what you have in a shopping cart on an eCommerce site. They are why you can customize your experience on particular websites or how dynamic websites personalize what content you see based on your previous behavior. When you can resume your previous activities as you revisit a website, cookies remember where you were when you left.
Cookies are a tracking technology that sometimes gets people concerned about privacy, and it is possible for certain types of cookies, along with other tracking methods, to follow you to other websites as you browse the web. Internet users have some options for controlling cookies through their browser settings, but totally disabling cookies would severely limit the functionality that brings you speed and convenience on many of your favorite websites.
Read: Guidelines for Secure Behavior Online and in the Office eBook
There are two types of internet cookies: session cookies and persistent cookies.
Authentication is how you tell your internet accounts that it is really you logging in. This is usually in the form of a username and a password, although now two-step authentication involving a text message that delivers a code you must also enter is recommended for best security. If you ever clicked “Remember Me” on a website so that you don’t have to enter your username and password the next time you visit, it probably used a persistent cookie to give you that functionality.
News media have reported that the most current known Yahoo breach was due to “forged cookies” that allowed cybercriminals access to accounts without a username or password. The cookies they are talking about are authentication or “remember me” cookies intended to make it faster and easier to get to your account. ZDNet reports that the code that was used to create the cookies was stolen, and Yahoo has invalidated the cookies and has been communicating with account holders who may be affected by the breach.
Whether or not you were involved in any of the Yahoo breaches, right now is a good time to become better informed about cybersecurity so that you can take charge of your digital life. Get better at managing passwords and learn about other behaviors that will limit your risk of becoming a victim with our Guidelines for Secure Behavior Online and in the Office. The internet puts some of the best conveniences, entertainment and information at our fingertips, but it can also put you in a pit of problems if you are complacent about cybersecurity.