After years of focusing their attention on Gmail, it seems that attackers have finally gotten around to expending some effort hacking Yahoo mail accounts. Yahoo officials said Thursday that they have reset the passwords on an unspecified number of mail accounts after detecting what they call a “coordinated effort to gain unauthorized access to Yahoo Mail accounts.”
Yahoo officials said that the evidence they have right now suggests that the attackers were trying to steal information such as email addresses and names from users’ sent mail folders.
“Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts,” Jay Rossiter, SVP of Platforms and Personalization Products at Yahoo wrote in a Tumblr post on the attacks.
Attackers have had a field day going after webmail systems such as Gmail and Hotmail in recent years, going back to the Aurora targeted attacks four years ago against Google and some Gmail users. There are a variety of ways that attackers have found to go after the accounts of webmail users, many of which begin with some variety of phishing attempt. Depending upon the target, attackers will send highly specific emails to a set of victims, sometimes with the lure of a malicious attachment. Other times, attackers will use fake password-reset messages as a lure, something that could complicate the measures that Yahoo is taking to clean up after this attack.
“We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.,” Rossiter said.
For some users–especially security conscious ones–those emails and texts can look exactly like the scam messages that attackers use to trick victims into clicking on a malicious link to give up their email credentials. Once an attacker has access to a victim’s main email account, he often can take over many of the victim’s other accounts, such as online banking, social media and others that typically will use email addresses as one level of authentication.
Yahoo officials did not specify which third-party company they believe was the source of the compromised information used to attack its users. There have been an number of large-scale data breaches in the last few months in which millions of email addresses and other information was compromised, including the attack on Adobe and the Target data breach.
Rossiter said Yahoo is working with law enforcement to investigate the attacks on its systems and recommended that users take typical precautions with their online accounts.
“In addition to adopting better password practices by changing your password regularly and using different variations of symbols and characters, users should never use the same password on multiple sites or services. Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks,” he said.