Yahoo Mail Passwords: Act Now

Yahoo suffers hack attack, eyes third-party database and reused credentials as likely culprits, may enforce two-factor authentication to help users recover accounts.

9 Notorious Hackers Of 2013 (Click image for larger view and for slideshow.)
Yahoo said it reset passwords for an unspecified number of accounts after detecting an unfolding hack-attack campaign.
Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts, said Jay Rossiter, whos in charge of Yahoos platforms and personalization products, in an
important security update for Yahoo Mail users
blog post. Some related notifications, however, have yet to be made.
To help users recover their accounts, Yahoo said it may force users to employ
second sign-in verification
-- its version of two-factor authentication -- which sends a six-digit code via SMS to a users registered mobile phone number, provided they have one on file.
According to
Litmus email analytics
, Yahoo Mail comprises 5% of the worlds email clients. In terms of market share -- across desktops, mobile clients, and webmail -- that makes Yahoo Mail the worlds eighth most popular email client, trailing iOS Mail clients (38%), Outlook (14%), Android (12%), Apple Mail (8%), Gmail (6%), and Outlook.com (6%), but placing it ahead of Windows Live Mail (3%) and Windows Mail (2%).
[Can you protect your data on the road?
Data Security: 4 Questions For Road Warriors
.]
Yahoo said theres no evidence that the recent account-hijacking campaign resulted from attackers stealing credentials from Yahoo itself. Rather, whoevers behind the attack appears to have harvested the usernames and passwords from another site, meaning that Yahoo victims likely reused usernames and passwords across multiple sites. Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise, Rossiter said. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts most recent sent emails.
He added: We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.
Who hijacks email accounts? Criminals may hack into accounts to harvest legitimate names and email addresses to target with phishing attacks or to run scams. One
well-worn ruse
involves an urgent appeal for funds sent under an email account owners name to everyone in his or her address book. The message claims, for example, that the account owner was mugged in London and a hotel is holding his or her passport ransom until the bill is settled in cash. Kindly help me send the money via Western Union Money Transfer to my name and hotel address below, the message reads.
Yahoos account-takeover warning is thus a heads-up, not just for users to beware account takeovers, but for anyone who receives an email sent via Yahoo. Id... recommend being wary of any odd email messages from friends with Yahoo accounts that send you links or attachments in the next few days,
said Chris Mohan
at the Internet Storm Center.
How can Yahoo users better avoid account takeovers altogether? According to
Yahoos tips for safeguarding its accounts
, the company recommends that all account users add an alternate email address and mobile number to your account, which can be used to receive a password reset, in the event that the account has been compromised.
Also never reuse the same password across multiple sites. If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place -- perhaps via a phishing attack or keylogger -- and then hackers using it to unlock your other online accounts,
said Graham Cluley
, an independent security researcher, in a blog post.
Instead, use a password manager to generate strong passwords -- think long and random -- and then store those passwords.
Modern password managers
will keep your password database synchronized across PCs, mobile devices, and the cloud.
So many people still reuse passwords, however, that some companies, such as Facebook, have begun testing
public dumps of usernames and passwords
to see if they unlock any of their users accounts. If so, the company can lock affected accounts and
force users to pick a new password
.
Beyond never reusing passwords, for optimum account security Yahoo users should also activate the aforementioned second sign-in verification, which Yahoo first introduced in 2011. Once activated, the two-factor verification system will send a six-digit code via SMS to the mobile phone number on file anytime it sees a login attempt -- with a valid username and password -- from a new system. Without that code, would-be attackers cant access the account.
For access to Yahoo email via any non-Yahoo application, meanwhile, the company also offers one-time codes. Certain applications -- for instance, iOS Mail, Android Mail, and Outlook -- dont support Yahoos second sign-in verification, Cluley said. For those, you will need to generate one-time passwords, separate from the one you use on your Yahoo account.
Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report,
How Existing Security Data Can Help ID Potential Attacks
, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Yahoo Mail Passwords: Act Now