Yahoo has revealed that some Yahoo Mail accounts have been accessed by unknown attackers using passwords allegedly stolen from third-party sources.
“We took immediate action to protect our users, prompting them to reset passwords on impacted accounts,” said a blog post by Jay Rossiter, senior vice-president, platforms and personalisation products.
“Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database.
“We have no evidence that they were obtained directly from Yahoo’s systems,” he wrote.
In December, security researchers discovered more than two million stolen passwords for Facebook, Twitter, Google, Yahoo, LinkedIn and other online services.
The list of stolen passwords was discovered by researchers from security firm Trustwave on a server controlling a botnet of hijacked computers.
Criminal gangs typically harvest login credentials either for their own use or to sell to other criminals.
Yahoo investigators found that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts, and that the attack was aimed at harvesting names and email addresses from the compromised accounts’ most recently sent emails.
More on passwords
- Do not overlook the weak link in IT security
- Will a password-strength meter lead to stronger passwords?
- PayPal CISO hopes FIDO Alliance can help replace weak passwords
- Password-based authentication: A weak link in cloud authentication
- Millions of internet users trust weak passwords, research reveals
- Intel lends a hand eliminating passwords
- Internet scan finds thousands of device flaws, system weaknesses
- Verizon data breach report shows weak passwords at root of 2011 data breaches
- Remote administration software weaknesses plague businesses
- IT industry group releases password-killing standard
- Password security best practices: Change passwords to passphrases
- Password compliance and password management for PCI DSS
- Internet users prefer weak passwords
In addition to resetting the passwords, Yahoo will implement a two-step verification for additional security on the affected accounts using either an email notification to an alternative address or through text messages on the user's mobile.
The company said it is working with law enforcement agencies to find and prosecute those responsible and has implemented additional measures to block attacks against Yahoo’s systems.
Yahoo has advised users to adopt better password practices such as changing passwords regularly and never using the same password for multiple sites or services.
“Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks,” Rossiter wrote.
Commentators agree that security is a shared responsibility.
“While organisations like Yahoo have a big role to play in ensuring user data is stored safely and securely through technologies such as encryption, it is also the responsibility of consumers to do everything they can to keep their credentials safe,” said George Anderson, product marketing director at Webroot.
“In addition to multiple passwords, end users should also change their passwords on a regular basis and make sure to take advantage of any additional layers of security available such as biometrics, PIN and so on to ensure their data is safe in spite of any attempted hacks,” he said.
David Robinson, chief security officer at Fujitsu UK & Ireland said ongoing breaches of this sort indicate that many businesses, and consumers, are still failing to see the reality of the situation.
“The effort required to combat breaches is industrial. Companies are no longer fighting against individuals, but a sophisticated criminal industry, designed solely to access their data,” he said.
According to Robinson, the issue for businesses is that, thanks in part to wider awareness, consumer tolerance for data loss is at an all-time low.
“Research by Fujitsu shows that consumer trust has significantly reduced, with over one in 10 consumers suffering from a data loss and less than 10% believing that consumers are doing enough to ensure their data is protected,” he said.
To remain ahead of their competitors – and trusted in the eyes of the consumer – Robinson believes organisations should ensure they are robust in their security.
Peter Armstrong, director of cyber security at Thales UK, agrees that the recent rise in cyber attacks on organisations, such as Yahoo, is evidence that the full extent of the cyber threat to enterprises has yet to be fully understood.
“Large businesses such as this need to adopt a more holistic approach that tightly integrates cyber defences with processes, physical measures and people.
“If you are a high-profile customer-facing organisation such as Yahoo, security procedures need to be adequately secured and re-assessed on a regular basis,” he said.