All the latest UK technology news, reviews and analysis


Hackers caught breaking into Yahoo Mail accounts

31 Jan 2014
Yahoo

Cyber criminals have hit Yahoo with a co-ordinated cyber attack, designed to hijack customer accounts.

Yahoo's senior vice president of Platforms and Personalisation Products, Jay Rossiter, reported the attack in a blog post, promising that the company has already taken affirmative action to defend its customers.

"Recently, we identified a co-ordinated effort to gain unauthorised access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts," read the post.

Rossiter said the attack used stolen credentials from an unknown third-party vendor to break into the accounts and siphon data from them.

"Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo's systems," read the blog.

"Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails."

The identity of the "third-party vendor" remains unknown, though F-Secure security expert Sean Sullivan suggested to V3 the huge breach that hit 38 million Adobe customers last October could be to blame.

He said the attackers could have stolen the data from an Adobe database and then used the information to guess the Yahoo account details.

"The question seems to me to be: does that third-party database appear to be related to Adobe.com?" he said.

At the time of publishing Adobe had not responded to V3's request for comment on the issue.

Rossiter confirmed that the company has sent out password reset requests to affected accounts. He added users should adopt more complex passwords to protect themselves against future attacks.

"We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS if they have added a mobile number to their account," he said.

"Users should never use the same password on multiple sites or services. Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks."

Chief security officer at Fujitsu, David Robinson, mirrored Rossiter's sentiment, warning that future attacks on companies such as Yahoo are inevitable.

"It seems that not a week goes by that we don't see a data breach of one type or another. This time, it's Yahoo under the spotlight. But let's not forget, it isn't the first company. And it won't be the last," he said.

"Many businesses and consumers are still failing to see the reality of the situation we are now facing. The effort required to combat breaches is industrial. Companies are no longer fighting against individuals, but a sophisticated criminal industry, designed solely to access their data. This is why we describe organisations in two groups, those who have been hacked and those who will be."

Attacks targeting customer accounts are a growing problem facing businesses. An attack compromising over 16 million German email accounts was uncovered by the country's Federal Office for Information Security (BSI) earlier in January.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

IT curriculum poll

With coding now compulsory in schools, how important are digital skills for the next generation of school leavers?
66%
9%
17%
8%

Popular Threads

Powered by Disqus
V3 Security Summit

V3 Security Summit Day 2: Botnet, skills and BYOD intelligence incoming

Keep V3 bookmarked for news updates on all the key security concerns and topics facing businesses

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Front End Developer (CSS, html - Responsive design)

Front end developer (CSS, html, jquery) - Up to £25k...

Network Engineer - BAU

We are seeking a Network & Security (BAU) Engineer...

Network Engineer - BAU

We are seeking a Network & Security (BAU) Engineer...

Network Engineer - BAU

We are seeking a Network & Security (BAU) Engineer...
To send to more than one email address, simply separate each address with a comma.