Yahoo suffers hack attack, eyes third-party database and reused credentials as likely culprits, may enforce two-factor authentication to aid users recover accounts.

Yahoo said it reset passwords for an unspecified collection of accounts after detecting an unfolding hack-attack campaign.

“Recently, we identified a coordinated effort to realize unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to guard our users, prompting them to reset passwords on impacted accounts,” said Jay Rossiter, who’s accountable for Yahoo’s platforms and personalization products, in an “important security update for Yahoo Mail users” blog post. Some related notifications, however, have not begun to be made.

To help users recover their accounts, Yahoo said it should force users to employ second sign-in verification — its version of 2-factor authentication — which sends a six-digit code via SMS to a user’s registered cellular phone number, provided they’ve one on file.

According to Litmus email analytics, Yahoo Mail comprises 5% of the world’s email clients. When it comes to market share — across desktops, mobile clients, and webmail — that makes Yahoo Mail the world’s eighth most efficient email client, trailing iOS Mail clients (38%), Outlook (14%), Android (12%), Apple Mail (8%), Gmail (6%), and Outlook.com (6%), but placing it just before Windows Live Mail (3%) and Windows Mail (2%).

[Are you able to protect your data at the road? Data Security: 4 Questions For Road Warriors.]

Yahoo said there is no evidence that the new account-hijacking campaign resulted from attackers stealing credentials from Yahoo itself. Rather, whoever’s behind the attack appears to have harvested the usernames and passwords from another site, meaning that Yahoo victims likely reused usernames and passwords across multiple sites. “According to our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a 3rd-party database compromise,” Rossiter said. “Our ongoing investigation shows that malicious software program used the list of usernames and passwords to access Yahoo Mail accounts. The data sought inside the attack appears to be like names and email addresses from the affected accounts’ most up-to-date sent emails.”

He added: “We’re working with federal law enforcement to locate and prosecute the perpetrators accountable for this attack.”

Who hijacks email accounts? Criminals may hack into accounts to reap legitimate names and email addresses to focus on with phishing attacks or to run scams. One well-worn ruse involves an urgent appeal for funds sent under an email account owner’s name to everyone in his or her address book. The message claims, let’s say, that the account owner was mugged in London and a hotel is holding his or her passport ransom until the bill is settled in cash. “Kindly help me send the cash via Western Union Money Transfer to my name and hotel address below,” the message reads.

Yahoo’s account-takeover warning is thus a heads-up, not only for users to beware account takeovers, but for anyone who receives an email sent via Yahoo. “I’d… recommend being wary of any odd email messages from friends with Yahoo accounts that send you links or attachments within the following couple of days,” said Chris Mohan on the Internet Storm Center.

How can Yahoo users better avoid account takeovers altogether? Per Yahoo’s tips for protecting its accounts, the corporate recommends that every one account users “add another email address and mobile number in your account,” which are used to receive a password reset, inside the event that the account was compromised.

Also never reuse an identical password across multiple sites. “In the event you do make the error of reusing passwords, you’re running the danger of getting your password compromised in a single place — perhaps via a phishing attack or keylogger — after which hackers using it to unlock your other online accounts,” said Graham Cluley, an independent security researcher, in a blog post.

Instead, use a password manager to generate strong passwords — think long and random — after which store those passwords. Modern password managers will keep your password database synchronized across PCs, mobile devices, and the cloud.

So plenty of people still reuse passwords, however, that some companies, akin to Facebook, have begun testing public dumps of usernames and passwords to determine in the event that they unlock any in their users’ accounts. If this is the case, the corporate can lock affected accounts and force users to choose a brand new password.

Beyond never reusing passwords, for max account security Yahoo users also needs to activate the aforementioned second sign-in verification, which Yahoo first introduced in 2011. Once activated, both-factor verification system will send a six-digit code via SMS to the cellphone number on file anytime it sees a login attempt — with a sound username and password — from a brand new system. Without that code, would-be attackers can’t access the account.

For access to Yahoo email via any non-Yahoo application, meanwhile, the corporate also offers one-time codes. “Certain applications — as an instance, iOS Mail, Android Mail, and Outlook — don’t support Yahoo’s second sign-in verification,” Cluley said. “For those, you need to generate one-time passwords, break away the only you operate in your Yahoo account.”

Having a wealth of information is an effective thing — should you could make sense of it. Most companies are challenged with aggregating and analyzing the plethora of information being generated by their security applications and devices. This Dark Reading report, How Existing Security Data May help ID Potential Attacks, recommends learn how to effectively leverage security data that allows you to make informed decisions and see areas of vulnerability. (Free registration required.)

Mathew Schwartz is a contract writer, editor, and photographer, in addition the InformationWeek information security reporter. View Full Bio

More Insights