Yahoo has announced that its email system has recently been subject to a “coordinated effort to gain unauthorized access”. The statement, which was posted on the company’s Tumblr yesterday, did not indicate how many accounts have been affected.
Engineering and Technology magazine reports that the attack was used to gather information on users’ recent correspondence, as well as their usernames and passwords. The reason for this is to gather legitimate email addresses for use in future spamming – making it more likely that users will fall victim to malware spread by email, as they would trust the sender and expect to receive emails from them.
Yahoo has 273 million email users worldwide, with 81 million in the United States. The magazine quotes Avivah Litan, a security analyst at Gartner, as saying “the programmes the bad guys use are much more sophisticated now. We’re clearly under attack”, in the wake of recent password attacks on US retailers including Target and Neiman Marcus.
According to PC Pro, the hackers stole usernames and passwords from a third-party database, before using the information to attack Yahoo accounts. Yahoo has not identified which third-party has been hacked. Jay Rossiter, senior vice president of product and platform at Yahoo, warned users to be cautious with their passwords: “ In addition to adopting better password practices by changing your password regularly and using different variations of symbols and characters, users should never use the same password on multiple sites or services.”
In its statement, Yahoo emphasised that it is working with federal law enforcement to “find and prosecute the perpetrators responsible for this attack.” In the meantime, the company is operating a two-factor verification process on its accounts, using SMS messages or alternative email addresses for users to confirm their identity.
Yahoo has had its share of technical trouble in the last two months. In December, its email service went down for several days, affecting about 1 million users. Earlier this year, Yahoo websites across Europe were found to have been compromised, serving advertising that spread malware designed to use victims’ computers to mine Bitcoins.
Author Staff Writer, ESET