Yep, time for another announcement about an issue with Yahoo Mail.
Yahoo announced that it identified a “coordinated effort” to gain unauthorized access to Yahoo Mail accounts, though it didn’t say how many. As others have pointed out it must be a substantial number since they bothered to make the announcement. The company said it took “immediate action” to protect users, and prompted them to reset passwords.
“Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise,” writes Yahoo SVP, Platforms and Personalization Products, Jay Rossiter, in a blog post. “We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.”
This comes less than a month after Yahoo made HTTPS encryption the default on Yahoo Mail, following up on its previously announced initiative to make all data on its servers secure.
It also follows a recent major service outage for Yahoo Mail, which angered a lot of users (many of which were already angry over changes to the interface), which CEO Marissa Mayer ended up publicly apologizing for.
Earlier this month, Yahoo also hosted some ads that spread malware to users.
Regarding the most recent situation, Yahoo says it’s resetting passwords on impacted accounts and using second sign-in verification to let users “re-secure” their accounts. Users may receive email notifications or text messages if they’ve added their mobile number to their account, prompting them to change their password.
The company says it is also working with federal law enforcement to find and prosecute the perpetrators responsible for the attack, and has implemented “additional measures” to block further attacks.
“We regret this has happened and want to assure our users that we take the security of their data very seriously,” says Rossiter.
Image via Yahoo