Yahoo Mail Passwords Breached In ‘Co-ordinated Attack’

Yahoo has admitted its email service was breached by a “co-ordinated effort”,  and warned users their passwords may be reset.

The Internet giant’s Yahoo Mail systems was hit by attackers, according to a Yahoo advisory. “Security attacks are unfortunately becoming a more regular occurrence,” wrote Jay Rossiter, Yahoo’s vice president for platforms and personalisation products. “Recently, we identified a coordinated effort to gain unauthorised access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.”

Breach from a third party

According to Rossiter, Yahoo discovered that the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise, although it did not reveal which third-party it is blaming. This type of breach happens when people use the same passwords for different online services, which allows attackers to utilise passwords stolen from other domains.

“We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails,” wrote Rossiter.

Yahoo said it was resetting the passwords on impacted accounts and it is using second sign-in verification to allow users to re-secure their accounts. It also said that it had implemented “additional measures” to safeguard Yahoo systems from future attacks.

Yahoo Boo Hoo

The company said that those Yahoo Mail users who have been impacted by the attack, will be prompted to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.

Yahoo confirmed it is working with US federal law enforcement to find and prosecute the attackers.

“We regret this has happened and want to assure our users that we take the security of their data very seriously,” said Rossiter.

Earlier this month, thousands of visitors to the Yahoo.com website were hit by malicious ads, pointing them to downloads of the prevalent Magnitude exploit kit, which attempts to drop malware on victims’ machines. The company had earlier pledged to introduce encryption into all of its products, as well as internal communications, by March 2014.

But Yahoo remains a firm favourite of cyber attackers.

In July 2012, 450,000 Yahoo Voice passwords were posted online, an event made worse by the fact the company was storing passwords unencrypted. It was later sued by one of its users over the breach. Then in January 2013, it turned out a Yahoo attempt to cover a security hole in Yahoo mail had failed, leaving the door open to hackers hoping to take over a user account.