Yahoo acknowledged on Thursday that attackers now own an undisclosed number of usernames and passwords to Yahoo Mail accounts. In a blog post, Jay Rossiter, the senior vice president in charge of Yahoo’s platforms and personalisation products, wrote that the attackers had most likely hacked an external, third-party database and obtained the information there.
“We regret this has happened and want to assure our users that we take the security of their data very seriously,” Rossiter wrote.
Yahoo did not say how many accounts had been compromised, nor when the attacks had taken place. However, the company says it began notifying users that the attacks had taken place, and had begun using second sign-in verification to allow users to re-secure their accounts. Users who have been affected, unsurprisingly, will be asked to change their password, and may receive an SMS text to that effect, Yahoo said.
Yahoo said that it was working with US federal law enforcement to find the culprits and would take further precautions to prevent this from happening again.
Finally, Rossiter stated the obvious: “In addition to adopting better password practices by changing your password regularly and using different variations of symbols and characters, users should never use the same password on multiple sites or services,” he wrote. “Using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks.”
In December, Yahoo Mail went down for several days, stranding about one million users of the service without email – or word from the company. While the outage began on Monday, it was Friday before CEO Marissa Mayer apologised on behalf of the company.
However, this week Mayer touted Yahoo Mail and services like Flickr as “a strong foundation for revenue growth”, even as that revenue fell by six percent compared with a year ago.