Yahoo's senior vice president of Platforms and Personalisation Products, Jay Rossiter, reported the attack in a blog post, promising that the company has already taken affirmative action to defend its customers.
"Recently, we identified a co-ordinated effort to gain unauthorised access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts," read the post.
Rossiter said the attack used stolen credentials from an unknown third-party vendor to break into the accounts and siphon data from them.
"Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo's systems," read the blog.
"Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails."
The identity of the "third-party vendor" remains unknown, though F-Secure security expert Sean Sullivan suggested to V3 the huge breach that hit 38 million Adobe customers last October could be to blame.
He said the attackers could have stolen the data from an Adobe database and then used the information to guess the Yahoo account details.
"The question seems to me to be: does that third-party database appear to be related to Adobe.com?" he said.
At the time of publishing Adobe had not responded to V3's request for comment on the issue.
Rossiter confirmed that the company has sent out password reset requests to affected accounts. He added users should adopt more complex passwords to protect themselves against future attacks.
"We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS if they have added a mobile number to their account," he said.
"Users should never use the same password on multiple sites or services. Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks."
Chief security officer at Fujitsu, David Robinson, mirrored Rossiter's sentiment, warning that future attacks on companies such as Yahoo are inevitable.
"It seems that not a week goes by that we don't see a data breach of one type or another. This time, it's Yahoo under the spotlight. But let's not forget, it isn't the first company. And it won't be the last," he said.
"Many businesses and consumers are still failing to see the reality of the situation we are now facing. The effort required to combat breaches is industrial. Companies are no longer fighting against individuals, but a sophisticated criminal industry, designed solely to access their data. This is why we describe organisations in two groups, those who have been hacked and those who will be."
Attacks targeting customer accounts are a growing problem facing businesses. An attack compromising over 16 million German email accounts was uncovered by the country's Federal Office for Information Security (BSI) earlier in January.
No comments:
Post a Comment