Yahoo detects huge hack attack against Yahoo Mail users, resets passwords

Graham Cluley
Graham Cluley
@[email protected]

Yahoo MailYahoo has revealed that it has detected a “coordinated effort” to break into accounts belonging to Yahoo Mail users, using stolen username and password details.

In a post on its corporate blog, said it had uncovered no evidence that the list of usernames and passwords used in the attack had been sourced directly from its own systems – but instead pointed a finger of possible blame towards an unnamed third-party database.

If that’s the case, then it’s possible that online criminals are attempting to exploit another hacked username/password database to see if the stolen details will unlock accounts at Yahoo.

Of course, if true, it would be surprising if the attackers didn’t also attempt to breach accounts hosted at other webmail provdiders.

Sign up to our free newsletter.
Security news, advice, and tips.

Yahoo blog post

Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.

Yahoo went on to say that it had reset the passwords of all accounts that appeared to be affected.

So, if you are promoted to change your Yahoo Mail password remember the golden rules:

  • Use a password that is hard to guess, and hard to crack (in other words: not based on dictionary words, your pet’s name, or an obvious sequence like “1234567”).
  • Never use the same password in one more than place.

If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a phishing attack or keylogger) and then hackers using it to unlock your other online accounts.

If you find passwords a burden – simply use password management software like Bitwarden, 1Password, and KeePass to make them both safer and easier to remember.

And, if you are a Yahoo Mail user and want to better protect your account in future, why not enable two factor authentication?

If you turn 2FA on (Yahoo calls its implementation second sign-in verification), you will be sent a 6-digit code via SMS text message everytime you attempt to login to Yahoo Mail via the web from a new computer.

That means if your Yahoo password is stolen, the hackers shouldn’t be able to actually do anything with it (unless they also have your mobile phone!).

Certain applications (for instance, iOS Mail, Android Mail, and Outlook) don’t support Yahoo’s second sign-in verification. For those you will need to generate one-time passwords, separate from the one you use on your Yahoo account.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Yahoo detects huge hack attack against Yahoo Mail users, resets passwords”

  1. Fred

    Well I am simply missing here my favorite and long-time used password manager – Sticky Password. I can recommend it to everyone.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.