Haven’t deleted your Yahoo account yet?

Yahoo! is reminding folks that hackers broke into its systems, and learned how to forge its website’s session cookies. That allowed the miscreants to log into user accounts without ever typing a password.

In warnings emailed out this week, the troubled web biz said accounts were infiltrated in 2015 and 2016 using forged cookies. It quietly admitted this security blunder back in December, although only now is drawing more attention to it. At the end of last year, it told investors:

The company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.

That September, Yahoo! admitted personal account records of more than 500 million users may have been swiped by hackers. Three months later, it confessed that a separate network breach in 2013 may have exposed the account credentials of one billion users.

Yahoo!‘s security controls and its incident response handling have been the focus of intense criticism from third-party security experts, which has continued on in the wake of the latest revelations.

Chris Boyd, malware intelligence analyst at Malwarebytes, said: “It’s fair to say that many Yahoo! users must already be feeling ‘incident fatigue’, given the frequency these stories seem to crop up. The sense of confusion – ‘Haven’t I heard about this one and taken steps already?’ – can lead to people becoming complacent with regards updating login, or worse, simply not bothering to shore up defences.

“It’s essential all Yahoo users roll up their sleeves and continue to use secure passwords and enable two-step verification. While this clearly won’t save them in all circumstances, it is still certainly better than nothing,” he added.

Tony Pepper, chief exec and co-founder of data security company Egress, said: “Yahoo has clearly been under systematic attack for quite some time and, aside from questions about its historic ability – or lack thereof – to spot breaches, this incident raises a whole host of concerns about the state of data security in general.

“The fact that the hackers were able to access accounts without the need for passwords is a serious issue. We routinely rely on passwords to protect our data and privacy, and red flags are now being raised. Consumers and businesses alike must be encouraged to turn on things like two-factor authentication wherever possible and keep a close eye on their accounts,” he added.

Jason Hart, CTO of data protection at Gemalto, commented: “While it is ‘news’ that Yahoo is making another announcement about a breach, it shouldn’t be surprising. Opt-in security is not an option in this day and age.

“The company recommended that users consider adopting its Yahoo Account Key, an authentication tool that eliminates the need for a password. However, tools like this only work if the user remembers to activate them. Given the current security climate, all companies should have multi-factor authentication activated by default for all online accounts,” he added.

Andy Norton, risk officer EMEA at endpoint protection company SentinelOne, said: “Yahoo said in its announcement that an ongoing forensic investigation suspects that the attacker had access to proprietary code to learn how to forge cookies. This would show new behaviours other than just stealing user databases, the attackers have also looked at alternative methods to infiltrate Yahoo users accounts.”

“Yahoo – and other email providers – would be a target if they are providing services to regime dissidents or investigative journalists – essentially any user who poses a perceived threat to a current regime,” he added