Yahoo Mail hacked,attackers gain unauthorized access to its accounts

Pierluigi Paganini January 31, 2014

 

The company has issued a security advisory to warn users that Yahoo Mail Service was hacked, hackers have stolen credentials of its email customers.

Yahoo Mail! is considered one of the largest email service providers, millions of people use is every day, it’s clear that it represents an attractive target for cyber criminals. The day is come, the company issued an official security update for its email users warning of a data breach avoiding to provide the extension of the incident in terms of number of users’ account compromised:

we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts’, user names and passwords of its email customers have been stolen and are used to access multiple accounts.” reports the update

The hackers have compromised a third-party database without penetrating the servers used for the Yahoo Mail service.

We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.

Yahoo Mail security update

 

This is the second time that Yahoo is seriously hacked,

in July 2012, the attackers gathered nearly 450,000 email addresses and passwords from a Yahoo! contributor network.

The interaction between a main application and third party add-ons and services is considered a weak point in the security chain, for this reason, hackers often directing their efforts against the third-party systems that can provide them access to the data managed by the main application. The method is shared practically on every technology and platform, if you need to hack a mobile try to compromise the users’ applications, hackers use the same reasoning for gaming, CMS, blogging platforms and social networks.

In the majority of cases, third-party applications lack of security by design, a weak point in the security chain, for this reason, hackers often directing their efforts against the third-party systems that can provide them access to the data managed by the main application.

Yahoo started all necessary actions to mitigate the risks of exposure for its customers, following the emergency procedures already started:

  • We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.
  • We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.
  • We have implemented additional measures to block attacks against Yahoo’s systems.

The problem with reusing your password

Probably one of the worst habits of users is to use the same passwords for multiple accounts, if anyone finds your password, by any method, they can impersonate you on those services.

If a hacker breaks into LinkedIn and steals your password (It is already happened in the past), they now have the ability to impersonate you on LinkedIn and other websites that use the same password. Even worse, evil-hackers often publish stolen username and passwords to prove they attacked the system. This means that people who know you personally may be able to gain access to your accounts with potentially disastrous consequences.

Yahoo Mail! users are invited to adopt a strong, and dedicated, password for the mail service, I always suggest the use of two-factor authentication if available, in this way user can reduce the possibility to get hacked, but it isn’t sure at 100%.

Yahoo confirmed that it is now working with law enforcement to identify the responsible.

Pierluigi Paganini

(Security Affairs –  Yahoo Mail! Data breach)



you might also like

leave a comment