Yahoo prompts password reset after mass attack on email service

YahooYahoo has revealed that it’s resetting passwords for a number of its email users after discovering a coordinated effort to gain access to accounts.

An advisory published on Tumblr yesterday said:

Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise.

We have no evidence that they were obtained directly from Yahoo's systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts.

The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails.

Unfortunately, no further information is available as to which third party databases may have been compromised, or just how many accounts may have been affected, but it does act as a timely reminder that security breaches are an increasingly big concern for any company with an internet presence.

In just the last six months there have been several high-profile attacks including the theft of 38 million Adobe users’ details and the massive data theft at US retailer Target, which saw over 100 million records compromised.

Earlier in 2013, we also saw a significant data breach at Evernote, which saw usernames and passwords of up to 50 million users stolen.

Then, two months later, an almost identical number of users were warned of a similar breach at Amazon-owned LivingSocial.

Email attack. Image courtesy of ShutterstockAs you can see, when such breaches occur it is common to see usernames and passwords amongst the stolen data.

For that reason Naked Security advises all users to employ hard-to-guess passwords that are not based upon words found in the dictionary, your name, your pet’s name or anything else that is ridiculously easy to guess, such as “password12345”.

We also highly recommend not using the same password twice as thieves will often try using stolen login credentials across a range of the most popular sites (in fact it’s so important that you don’t reuse passwords it’s one of our 3 essential security tasks).

All of us, affected or not, should take this a timely prompt to beef up your security by employing two-factor authentication (2FA).

Our very own Chester Wisniewski just published an article all about two-factor authentication – what it is, how it works, and why you should take advantage of it where possible.

For you Yahoo email users wanting to turn on 2FA, dubbed “second sign-in verification”, sign in here and then enter your mobile phone number. You will then be sent a 5-digit code via SMS text message every time you attempt to login to Yahoo Mail from a new device.

From now on, if your Yahoo Mail password is stolen, it will be of little value to hackers who won’t be able to do much with it unless they also have access to your mobile phone.

Unfortunately, not all applications play nicely with Yahoo’s two-factor authentication, so users of Outlook, Android Mail, iOS Mail, etc. will need to generate one-time passwords, which will be different to your regular Yahoo password.

Image of bullet holes and email attack courtesy of Shutterstock.