Yahoo provides little detail on Yahoo Mail attack

Cybercrims have undertaken a “coordinated” campaign to break into some number of Yahoo Mail accounts, but Yahoo has released scant details on the specifics of the attack, including how many accounts were targeted.

The company acknowledged the attack in an entry on its official Tumblr, titled ‘Important Security Update for Yahoo Mail Users’, penned by Jay Rossiter, SVP, platforms and personalization products.

“Recently, we identified a coordinated effort to gain unauthorised access to Yahoo Mail accounts,” Rossiter wrote.

The company did not divulge how many accounts were targeted in the attack or when it took place.

Rossiter said “malicious computer software” used a list of usernames and passwords to access Yahoo Mail accounts.

“Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise,” he claimed. “We have no evidence that they were obtained directly from Yahoo’s systems.”

As for a motive for the attack, Rossiter said: “The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.”

Yahoo is resetting passwords on the affected accounts and using “second sign-in verification” to help users secure their accounts.

“Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account,” Rossiter said.

He also said the company has bolstered its security to help block future attacks and is working with law enforcement to help find the perpetrators of this attack.