Yahoo Mail Resets Account Passwords After Attack

MAXOMENOS writes: "Last night Yahoo! announced via their Tumblr page that they had detected attacks against some Yahoo Mail accounts. They reset the passwords to all affected accounts, and advised users of good password practices. Quoting: 'Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo's systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails.'"

password will not protect you

advised users of good password practices

Good password practices are pointless if the backend database is compromised. That's like adhering to the five second rule after dropping a donut in a dogpile.

Happens at all ISPs

I work for a large ISP and we regularly see our customers' accounts targeted when some other website leaks their user information and it includes email addresses on our network and passwords the attackers can guess will give them access. If we can get hold of the leaked data we can work out which accounts are at risk and either warn the customers or reset their authentication credentials before hand. Standard practice and good to see Yahoo is following it.

Among the funny things ...

[fidget]

... is why suddenly yahoo is making a show of caring.

I have a four-letter yahoo account (not that kind of four-letter word...) from waaaaay back in the day. It was something I maintained for about two decades for plausible deniability... a cut-out.

SCORES of people have tries to hack it. A couple have succeeded, but not since I switched it to a 32-character mixed-case-and-special password. Still, they try at the rate of about 3 a week (that I *see* via attempted password-reset manipulations, 2-factor authentication change attempts, etc).

But ... I have received about 10 emails from folks who wanted to 'own' the email address. And -- I think -- because I didn't acquiesce, I have received hundreds of thousands of spam emails in the intervening time. They've submitted my email to stupid dating sites in French, German, Thai, Spanish, Tamil and most recently Hebrew. Hell, I got 1000+ emails/day from ONE SITE for a few days, about a week ago.

There's been phishing, spear-phishing based on the pseudo-identity hosted there, blind newsletter sign-up. Every kind of crap you can imagine, and several more.

And every step of the way, I reported the infringements, the spamming, the users who have a variant of the name (e.g. foo2525 instead of foo): to the spam-handlers and to the variant-users.

And yahoo has never given a shit. Not once. Period. IMHO, 'cause it was one account-holder. But I've kept it anyway -- since it's a great cut-out. And I'll continue to do so. Yahoo is a joke; has been for many years now. Sometimes... that's its value. It's a great example of what NOT to do, and it's a great revealer of the seedy underbelly of the 'net.

http://demotivators.despair.co...

Last night's spam email was probably the cause

[cjmnews]

A spam email that went to the Inbox stating that Yahoo! was going to close all inactive accounts if you did not click on this link and log in was probably how the attacker got the passwords. The link went to one of those off-shore URLs that we should all avoid.

Phishing is still alive and well.

And there are a lot of gullible people to phish for.