Yahoo has revealed that it’s resetting passwords for a number of its email users after discovering a coordinated effort to gain access to accounts.
An advisory published on Tumblr yesterday said:
Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise.
We have no evidence that they were obtained directly from Yahoo's systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts.
The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails.
Unfortunately, no further information is available as to which third party databases may have been compromised, or just how many accounts may have been affected, but it does act as a timely reminder that security breaches are an increasingly big concern for any company with an internet presence.
In just the last six months there have been several high-profile attacks including the theft of 38 million Adobe users’ details and the massive data theft at US retailer Target, which saw over 100 million records compromised.
Earlier in 2013, we also saw a significant data breach at Evernote, which saw usernames and passwords of up to 50 million users stolen.
Then, two months later, an almost identical number of users were warned of a similar breach at Amazon-owned LivingSocial.
As you can see, when such breaches occur it is common to see usernames and passwords amongst the stolen data.
For that reason Naked Security advises all users to employ hard-to-guess passwords that are not based upon words found in the dictionary, your name, your pet’s name or anything else that is ridiculously easy to guess, such as “password12345”.
We also highly recommend not using the same password twice as thieves will often try using stolen login credentials across a range of the most popular sites (in fact it’s so important that you don’t reuse passwords it’s one of our 3 essential security tasks).
All of us, affected or not, should take this a timely prompt to beef up your security by employing two-factor authentication (2FA).
Our very own Chester Wisniewski just published an article all about two-factor authentication – what it is, how it works, and why you should take advantage of it where possible.
For you Yahoo email users wanting to turn on 2FA, dubbed “second sign-in verification”, sign in here and then enter your mobile phone number. You will then be sent a 5-digit code via SMS text message every time you attempt to login to Yahoo Mail from a new device.
From now on, if your Yahoo Mail password is stolen, it will be of little value to hackers who won’t be able to do much with it unless they also have access to your mobile phone.
Unfortunately, not all applications play nicely with Yahoo’s two-factor authentication, so users of Outlook, Android Mail, iOS Mail, etc. will need to generate one-time passwords, which will be different to your regular Yahoo password.
Image of bullet holes and email attack courtesy of Shutterstock.
9 comments on “Yahoo prompts password reset after mass attack on email service”
2FA is hard to do unless you have a mobile phone! Not everyone has one!
Yahoo keeps asking me for my mobile phone number. But I don’t have a mobile phone.
I have a mobile, but will not give it to Yahoo to loose again!
I have a mobile phone, but I don’t have texting!
Despite the previous comment, most people do have a mobile/cell phone and most of those in the developed world are smart phones. These, of course, provide a potentially very simple means of creating a 2FA logon system. But there is a major fly in this ointment – very many people now use their smart phone as their main access device to the internet and when that is stolen 2FA counts for nothing.
The recommendation must be for the 2FA phone to be a different one from that normally used for internet account access.
I had the same thing happen with my GMAIL on 1/30/14
Over the last 4 years I have told Yahoo of several attacks or attempts to access my mail account. All are from within the USA if you can believe the Yahoo data. So I have to keep changing passwords about every month, which is a real pain.
Also, MS Outlook Connector will no longer connect to Yahoo mail services, so mails are no longer accessible from one place. Not very convenient.
Sadly, not everyone wants or uses SMS or has a mobile phone. I so wish there was an alternative besides text messages or SMS. How about using my phone number and calling?
Every time I attempt to change my Yahoo Mail password, nothing happens after I click continue. I can’t figure out what the problem is.