Friday, January 31, 2014

Yahoo Reports Limited Email Security Breach

Yahoo logo.jpg
 
On Thursday Yahoo announced that some of their users e-mail accounts were hacked and information stolen by unknown persons.
 
So far, details of the hack are limited, but it appears that the information was stolen from a third-party vendor and not directly from Yahoo itself.
 
We are seeing more and more of this, as more folks move to the cloud and popular sites collect more and more users. So far, it seems that the bad guys are concentrating on going after sites and companies that have millions of users. This, of course, is sort of the theory of low hanging fruit. When one good hack can net you information on millions of users, why should you waste your time on smaller sites and businesses that give you an exponentially smaller amount of data.
 
I did some checking, and here is what Yahoo had to say to their users about the hack and, what they can do as users to minimize the damage done to them. This appears to only affect, at this time, users of the Yahoo e-mail service.
 

Security attacks are unfortunately becoming a more regular occurrence. Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.

Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.

What we’re doing to protect our users

  • We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.

  • We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.

  • We have implemented additional measures to block attacks against Yahoo’s systems.

What you can do to help keep your accounts secure

In addition to adopting better password practices by changing your password regularly and using different variations of symbols and characters, users should never use the same password on multiple sites or services.  Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks.

We regret this has happened and want to assure our users that we take the security of their data very seriously.

For more information, please check our Customer Care help page.

Post a Comment