In a statIn a statement issued late on Thursday, the company detailed that hackers had used “malicious computer software” in a “coordinated effort to gain unauthorised access to Yahoo Mail" accounts, but stopped short of revealing when the attack had taken place. The attackers supposedly tried to get names and email addresses from victims' sent emails.
“Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo's systems,” the company said on its Tumblr page.
“We regret this has happened and want to assure our users that we take the security of their data very seriously”. Yahoo is now working with US federal law enforcement to “find and prosecute the perpetrators responsible for this attack”.
This is the latest embarrassment for Yahoo. Marissa Mayer's company faced heavy criticism after mocking the brief Gmail outage last week, something the company later said “reflected bad judgement”.
The company revealed that a malware attack hit Yahoo's advertising servers earlier this month, an incident which could have affected hundreds of thousands of users.
Fujitsu UK's chief security officer David Robinson said that this latest attack should serve as a reminder to businesses that not only is the cyber threat real, but that it is increasingly coming from sophisticated criminals.
“Many businesses, and consumers, are still failing to see the reality of the situation we are now facing. The effort required to combat breaches is industrial. Companies are no longer fighting against individuals, but a sophisticated criminal industry, designed solely to access their data. This is why we describe organisations in two groups, those who have been hacked, and those who will be.”
Ashish Patel, regional director at Stonesoft, a McAfee Group company, concurred with Robinson and said that Yahoo needs to look at the data shared with third-parties.
“This latest attempt to hack Yahoo highlights the growing responsibility of businesses to do far more to protect users' data. If it is indeed the result of a third-party database compromise, Yahoo needs to have greater insight into the security systems of the third parties it is sharing data with to avoid a repeat performance and ensure it remains a trusted brand.
“Any organisation can be at risk to a cyber-threat, with information both an asset to be protected and a weapon to be used. Because of this, security teams within all industries need to assess their current protection, deploy appropriate measures and remain vigilant.”