In a post on its corporate blog, said it had uncovered no evidence that the list of usernames and passwords used in the attack had been sourced directly from its own systems – but instead pointed a finger of possible blame towards an unnamed third-party database.
If that’s the case, then it’s possible that online criminals are attempting to exploit another hacked username/password database to see if the stolen details will unlock accounts at Yahoo.
Of course, if true, it would be surprising if the attackers didn’t also attempt to breach accounts hosted at other webmail provdiders.
Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.
Yahoo went on to say that it had reset the passwords of all accounts that appeared to be affected.
So, if you are promoted to change your Yahoo Mail password remember the golden rules:
- Use a password that is hard to guess, and hard to crack (in other words: not based on dictionary words, your pet’s name, or an obvious sequence like “1234567”).
- Never use the same password in one more than place.
If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a phishing attack or keylogger) and then hackers using it to unlock your other online accounts.
And, if you are a Yahoo Mail user and want to better protect your account in future, why not enable two factor authentication?
If you turn 2FA on (Yahoo calls its implementation second sign-in verification), you will be sent a 6-digit code via SMS text message everytime you attempt to login to Yahoo Mail via the web from a new computer.
That means if your Yahoo password is stolen, the hackers shouldn’t be able to actually do anything with it (unless they also have your mobile phone!).
Certain applications (for instance, iOS Mail, Android Mail, and Outlook) don’t support Yahoo’s second sign-in verification. For those you will need to generate one-time passwords, separate from the one you use on your Yahoo account.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.