An attempt to gain access to Yahoo Mail accounts was thwarted.
In a statement, Yahoo senior vice president of platforms and personalisation products Jay Rossiter, said that it identified “a coordinated effort to gain unauthorized access to Yahoo Mail accounts” and upon discovery “took immediate action to protect our users, prompting them to reset passwords on impacted accounts”.
Yahoo said that while there is no evidence that the passwords used to try and access the accounts were obtained directly from Yahoo’s systems, he did say that the list of usernames and passwords that were used to execute the attack were “likely collected from a third-party database compromise”.
He said: “Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts.” As a precaution, it is resetting passwords on what it deems to be “impacted accounts”, and was using second sign-in verification to allow users to re-secure their accounts. It has also implemented additional measures to block attacks against Yahoo’s systems. It was also unclear as to when the attempted attack took place.
Commenting, Ashish Patel, regional director at Stonesoft, a McAfee Group Company, said that this highlights the growing responsibility of businesses to do far more to protect users’ data.
“If it is indeed the result of a third-party database compromise, Yahoo needs to have greater insight into the security systems of the third parties it is sharing data with to avoid a repeat performance and ensure it remains a trusted brand,” he said.
“Any organisation can be at risk to a cyber threat, with information both an asset to be protected and a weapon to be used. Because of this, security teams within all industries need to assess their current protection, deploy appropriate measures and remain vigilant.”
George Anderson, product marketing director at Webroot, said that companies should be more responsible when holding customers’ data and should put security at the heart of their operations.
“Encryption is one way forward, as is the requirement to change the password every three months or so. However, although organisations like Yahoo have a big role to play in ensuring user data is stored safely and securely, at the end of the day it’s also the responsibility of consumers to do everything they can to keep their credentials safe,” he said.
Ross Brewer, vice president and managing director for international markets at LogRhythm, said: “It is unfortunate that Yahoo has once again become associated with such a high profile breach, but this only highlights the increased determination and sophistication of hackers today.
“What’s more, the fact that initial reports suggests a third party database breach continues a worrying trend of cyber criminals targeting the weakest points to gain a foothold into bigger, more lucrative organisations. Sadly, the point of entry becomes irrelevant as it is Yahoo itself facing the reputational repercussions now.”