By Jennifer LeClaire / CIO Today. Updated January 31, 2014.
After major e-mail woes in December, Yahoo is now getting hit with another massive problem. Yahoo Mail has been hacked. Jay Rossiter, senior vice president of Platforms and Personalization Products at Yahoo, confirmed the hack on the firm’s Tumblr blog.
“Security attacks are unfortunately becoming a more regular occurrence. Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts,” he said. “Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.”
Based on Yahoo’s current findings, Rossiter said the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise.
What Is Yahoo Doing?
“We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts,” Rossiter said. “The information sought in the attack seems to be names and e-mail addresses from the affected accounts’ most recent sent e-mails.”
Rossiter then outlined what Yahoo is doing to protect Mail users. First, the company is resetting passwords on impacted accounts and using second sign-in verification to allow users to re-secure their accounts. Rossiter said impacted users will be prompted to change their passwords and may receive an e-mail notification or an SMS text if they have added a mobile number to their accounts.
Yahoo is also working with federal law enforcement to find and prosecute the perpetrators responsible for this attack. He said the company has implemented additional measures to block attacks against Yahoo’s systems.
Keeping E-mail Accounts Secure
“In addition to adopting better password practices by changing your password regularly and using different variations of symbols and characters, users should never use the same password on multiple sites or services,” Rossiter said. “Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks.”
Rossiter concluded by saying he regrets this has happened and wants to assure Yahoo Mail users that company takes the security of consumer data very seriously. In December, Yahoo CEO Marissa Mayer personally apologized for a Yahoo Mail outage: “This has been a very frustrating week for our users and we are very sorry.”
“We will continue to work on rolling out IMAP access and to fully restore inbox state (for example, which folders messages were placed in, which messages were starred, etc). This process differs for each user and as restoration continues, we’re committing to communicating directly with you on progress on an individual basis,” she said.
“Above all else, we’re going to be working hard on improvements to prevent issues like this in the future. While our overall uptime is well above 99.9%, even accounting for this incident, we really let you down this week,” she said at the time.