Yahoo Mail! is considered one of the largest email service providers, millions of people use is every day, it’s clear that it represents an attractive target for cyber criminals. The day is come, the company issued an official security update for its email users warning of a data breach avoiding to provide the extension of the incident in terms of number of users’ account compromised:
“we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts’, user names and passwords of its email customers have been stolen and are used to access multiple accounts.” reports the update
The hackers have compromised a third-party database without penetrating the servers used for the Yahoo Mail service.
“We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.“
This is the second time that Yahoo is seriously hacked,
The interaction between a main application and third party add-ons and services is considered a weak point in the security chain, for this reason, hackers often directing their efforts against the third-party systems that can provide them access to the data managed by the main application. The method is shared practically on every technology and platform, if you need to hack a mobile try to compromise the users’ applications, hackers use the same reasoning for gaming, CMS, blogging platforms and social networks.
In the majority of cases, third-party applications lack of security by design, a weak point in the security chain, for this reason, hackers often directing their efforts against the third-party systems that can provide them access to the data managed by the main application.
Yahoo started all necessary actions to mitigate the risks of exposure for its customers, following the emergency procedures already started:
The problem with reusing your password
Probably one of the worst habits of users is to use the same passwords for multiple accounts, if anyone finds your password, by any method, they can impersonate you on those services.
If a hacker breaks into LinkedIn and steals your password (It is already happened in the past), they now have the ability to impersonate you on LinkedIn and other websites that use the same password. Even worse, evil-hackers often publish stolen username and passwords to prove they attacked the system. This means that people who know you personally may be able to gain access to your accounts with potentially disastrous consequences.
Yahoo Mail! users are invited to adopt a strong, and dedicated, password for the mail service, I always suggest the use of two-factor authentication if available, in this way user can reduce the possibility to get hacked, but it isn’t sure at 100%.
Yahoo confirmed that it is now working with law enforcement to identify the responsible.
(Security Affairs – Yahoo Mail! , Data breach)