All the latest UK technology news, reviews and analysis

Hackers caught breaking into Yahoo Mail accounts

31 Jan 2014

Cyber criminals have hit Yahoo with a co-ordinated cyber attack, designed to hijack customer accounts.

Yahoo's senior vice president of Platforms and Personalisation Products, Jay Rossiter, reported the attack in a blog post, promising that the company has already taken affirmative action to defend its customers.

"Recently, we identified a co-ordinated effort to gain unauthorised access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts," read the post.

Rossiter said the attack used stolen credentials from an unknown third-party vendor to break into the accounts and siphon data from them.

"Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo's systems," read the blog.

"Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails."

The identity of the "third-party vendor" remains unknown, though F-Secure security expert Sean Sullivan suggested to V3 the huge breach that hit 38 million Adobe customers last October could be to blame.

He said the attackers could have stolen the data from an Adobe database and then used the information to guess the Yahoo account details.

"The question seems to me to be: does that third-party database appear to be related to" he said.

At the time of publishing Adobe had not responded to V3's request for comment on the issue.

Rossiter confirmed that the company has sent out password reset requests to affected accounts. He added users should adopt more complex passwords to protect themselves against future attacks.

"We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS if they have added a mobile number to their account," he said.

"Users should never use the same password on multiple sites or services. Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks."

Chief security officer at Fujitsu, David Robinson, mirrored Rossiter's sentiment, warning that future attacks on companies such as Yahoo are inevitable.

"It seems that not a week goes by that we don't see a data breach of one type or another. This time, it's Yahoo under the spotlight. But let's not forget, it isn't the first company. And it won't be the last," he said.

"Many businesses and consumers are still failing to see the reality of the situation we are now facing. The effort required to combat breaches is industrial. Companies are no longer fighting against individuals, but a sophisticated criminal industry, designed solely to access their data. This is why we describe organisations in two groups, those who have been hacked and those who will be."

Attacks targeting customer accounts are a growing problem facing businesses. An attack compromising over 16 million German email accounts was uncovered by the country's Federal Office for Information Security (BSI) earlier in January.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

C++ Developer - Market Making exchange connectivity

C++ Developer - Market Making exchange connectivity...

C++ Developers - High throughput systems

C++ Developers - High throughput systems My client...

C++ Developer - High Frequency Trading

C++ Developer - High Frequency Trading A proven and...

Application Support - Wakefield - SQL / T-SQL / TCP/IP

Application Support - Wakefield - £22k + Company Car...
To send to more than one email address, simply separate each address with a comma.