Criminals attempt mass attack against Yahoo Mail accounts

Criminals attempt mass attack against Yahoo Mail accounts

Summary: Usernames and passwords obtained through a third party are being tested against Yahoo's servers in an attempt to break into mail accounts.

TOPICS: Security

Yahoo Mail has again been the target of another attack, with Yahoo today implementing password resets on accounts and moving to engage US federal law enforcement to investigate.

According to the company, attackers acquired a list of usernames and passwords, and by using third-party software to automate the process, attempted to break into a number of accounts at once. Yahoo has not stated how many accounts were affected.

The company has claimed that the list likely came from the compromise of a third party's database.

It is a common technique for criminals to test the usernames and passwords gained from one breach against another website or service. For this reason, users are often advised to never share the same password across other sites.

Yahoo's advisory acknowledges this, stating that "users should never use the same password on multiple sites or services. Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks".

Although two-factor authentication would provide an additional security measure to protect against such opportunistic attacks, and Yahoo has this feature as an option, it has been demonstrated that it can be easily bypassed.

Yahoo has further stated that there is no evidence that the credentials were obtained directly from Yahoo's systems.

As recent as last week, however, Yahoo Mail servers were vulnerable to root access, with one researcher coming forward to explain how he had the ability to execute code on its servers.

Yahoo's attackers appeared to seek out "names and email addresses from the affected accounts' most recent sent emails", according to the company.

The company has said that it is now rolling out additional security measures to avoid a repeat of the issue. Earlier this year, it made HTTPS the default setting for Yahoo Mail, a move welcomed by security experts, but also considered too little, too late.

Topic: Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hackers.

    Why cant you hit something that deserves it and would be a honey hole.
    Consider Virgina DMV they have every single document known to man kind in one place.

    These nazis deserve to have everyone of those docs in a giant dump.
    Going to this DMV is like getting on the trains to the death camps.

    Changed me from Obama supporter to tea party We cant allow them the tax revenue to continue only way to kill this serpent is cut off its head, the tax money.
  • Its easy as 1,2,3

    Quick Ruby script to show why you do not need to enter the password again after getting the token. I did that script a few years back but still works a treat, you dont also need the IE to be visible. Also automate this with a huge username:password list and you are all set to go.

    require 'win32ole'
    def login(user, passwd)
    ie ='InternetExplorer.Application')
    ie.Visible = true # make the window visible
    ie.Navigate("{user}&passwd=#{passwd}")# naviaget to the URL
    puts "Sending the initial login request"
    puts "Login has been sent"
    system 'cls'
    print "What is the username:"
    username = gets.chomp.to_s
    print "Ok username is #{username}\n"
    print "What is the password:"
    pass = gets.chomp.to_s
    print "Sending login now, Opening IE\n"
  • Just do away with the password.

    There is a simple way to solve this problem and that is to do away with the password and replace it with a device or browser id.

    I have deployed this solution on my own websites. For example and does not need user to enter any username and password. Their account opens only on the browser they regularly use.

    Hackers would have no way to get to their identity as the identity is not stored online on a server.
  • Hmm

    After what Yahoo has done to make there email service what the military would call a cluster ____, the crooks probably couldn't get any info before it crashed anyway. Or their efforts may be the only thing that does work in their garbage system.