Yahoo hasn't had the best run when it comes to security breaches, and now the company has notified some users that hackers may have accessed their accounts without even needing a password.
Some users were notified that a "forged cookie" may have been used in 2015 and 2016 to access some accounts. Yahoo also said the forged cookies have since been invalidated.
The unauthorized access stems from the 500 million account breach Yahoo disclosed in September. Yahoo first alluded last October to the sneaky forged cookie method hackers may have used.
"Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users' accounts or account information," a company SEC filing said.
What is a Cookie?
We're not talking about a sugary treat.
When you go to a website, a cookie is a little token that is stored in your browser. Think of all the times you checked a box that said "keep me logged in" or "remember me." That's storing a cookie in your browser.
This allows the site to store some information and allows you to bypass efforts - such as logging in - each time you want to shop at Amazon or check your Facebook page or read an online subscription.
What is a Forged Cookie? Should I Be Worried?
A forged cookie is the same token that is stored in a browser; however, it's reverse engineered by the bad guys - tricking a website into thinking it was the original cookie.
"With that stored piece of data, an attacker could place that cookie on their own machine and then it would appear to Yahoo that browser had a cookie to bypass the login process," Shuman Ghosemajumder, chief technology officer of Shape Security, told NBC News.
Basically: Hackers could stay logged in to your account for as long as they wanted, without ever having to enter a password.
Yahoo has invalidated the cookies and notified people who were impacted, so Ghosemajumder said users shouldn't be worried.
Jeremiah Grossman, chief of security at SentinelOne, told NBC News that "usually this type of forged cookie hack is extremely difficult," and it would "only be possible after a very deep hack" into a website.
So, you should put forged cookies low on the list of scary things to worry about on the internet. However, Grossman said changing your password regularly should theoretically negate any forged cookies - should they even exist.
The revelation is the latest black eye for Yahoo, which has revealed two massive security breaches in the past few months, with the information being made public only after Verizon had forged a $4.83 billion deal to buy the internet company's core business.
That deal could now be worth a little less, according to a recent report claiming Verizon has slashed $250 million from the asking price.