Yahoo Mail has again been the target of another attack, with Yahoo today implementing password resets on accounts and moving to engage US federal law enforcement to investigate.
According to the company, attackers acquired a list of usernames and passwords, and by using third-party software to automate the process, attempted to break into a number of accounts at once. Yahoo has not stated how many accounts were affected.
The company has claimed that the list likely came from the compromise of a third party's database.
It is a common technique for criminals to test the usernames and passwords gained from one breach against another website or service. For this reason, users are often advised to never share the same password across other sites.
Yahoo's advisory acknowledges this, stating that "users should never use the same password on multiple sites or services. Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks".
Although two-factor authentication would provide an additional security measure to protect against such opportunistic attacks, and Yahoo has this feature as an option, it has been demonstrated that it can be easily bypassed.
Yahoo has further stated that there is no evidence that the credentials were obtained directly from Yahoo's systems.
As recent as last week, however, Yahoo Mail servers were vulnerable to root access, with one researcher coming forward to explain how he had the ability to execute code on its servers.
Yahoo's attackers appeared to seek out "names and email addresses from the affected accounts' most recent sent emails", according to the company.
The company has said that it is now rolling out additional security measures to avoid a repeat of the issue. Earlier this year, it made HTTPS the default setting for Yahoo Mail, a move welcomed by security experts, but also considered too little, too late.