31 January 2014
A really bad year for the world's second-largest email service provider, Yahoo Mail! The company announced today, 'we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts', user names and passwords of its email customers have been stolen and are used to access multiple accounts.
Yahoo did not say how many accounts have been affected, and neither they are sure about the source of the leaked users' credentials. It appears to have come from a third party database being compromised, and not an infiltration of Yahoo's own servers.
"We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails."
For now, Yahoo is taking proactive actions to protect their affected users, "We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account."
People frequently use the same passwords on multiple accounts, so possibly hackers are brute-forcing Yahoo accounts with the user credentials stolen from other data breaches.
Yahoo users can prevent account hijacks by using a strong and unique password. You can use 'Random strong password generator' feature of DuckDuckGo search engine to get a unique & strong password.
Users are also recommended to enable two-factor authentication, which requires a code texted to the legitimate user's mobile phone whenever a login attempt is made from a new computer.
Yahoo! was hacked in July 2012, with attackers stealing 450,000 email addresses and passwords from a Yahoo! contributor network.