Yesterday I learned that karma is, in fact, real. After reporting on Yahoo!’s (News - Alert) recent shortcomings and its latest attempt to bring users back into the fold by rolling out new updates to its mail app, I received a security notice from the company not even five minutes later. The irony here is that I said earlier in the day that I had yet to install the Yahoo!! Mail app because I didn’t see its purpose. However, after receiving the notice and reading up on how the app can, in fact, help prevent against hackers, I immediately downloaded it. Let’s take a look at the company’s latest hacking news, and how the mail app can be used to stop fraudulent attempts on your account.
In the notice I received from Yahoo!, the company stated:
Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account. We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016. Those users targeted by the state-sponsored actor were sent an additional notification like the one found here: https://help.Yahoo!.com/kb/SLN26995.html.
The fact that this could have happened in 2015 or 2016, and it is now February 2017 and I’m just now hearing about it, is kind of terrifying. The email goes on to say that Yahoo! has invalidated the forged cookies and “hardened” its systems to secure them against any more attacks of a similar nature. That’s all well and good, but this breach of my privacy still left me feeling a little uneasy. Yahoo! suggested in the email that I should review all my accounts for suspicious activity, be cautious of any unsolicited communications that ask for my personal information, and avoid clicking on links or downloading attachments from suspicious emails. These are all things I do anyway, but the last item on the list caught my eye—the Yahoo! Account Key.
Beforehand, I had simply been using multi-factor authentication and my password to login to my account. However, the Yahoo! Account Key gets rid of passwords altogether and instead uses the Yahoo! Mail app to allow users access to their accounts (this is the part where I begrudgingly downloaded the app, all the while thinking that I had jinxed myself with that earlier article).
The Yahoo! Account Key works by sending notifications to your Yahoo! Mail app when someone tries to login to your account. So, for example, if someone is trying to log into my account from a desktop by using Google (News - Alert) Chrome, I will get a notification on my phone from the app, with those exact details, asking if the user is me. If it’s not, I can simply click “No” from within the app. If it is me logging in from another device, all I have to do is click “Yes,” and I gain instant access. Assuming that the hacker does not also have your mobile phone or some other device with email access on it, this is a great way to see when exactly someone is attempting to hack your account.
Although Yahoo! clearly has some security problems, it’s doing a pretty good job of improving its defenses. The only problem is that these defenses don’t seem to be advertised very well—I had never heard of the Yahoo! Account Key until yesterday. Hopefully these new security measures can help the company keep hackers out—especially because this latest news caused Verizon (News - Alert), which is set to buy Yahoo!, to lower its price by $250 million. This is a big blow to the company, and potentially makes Yahoo! the biggest victim of the hacks. Let’s hope these security breaches have no more casualties.