Yahoo has said that usernames and passwords of its email customers have been stolen and used to access accounts, but the company isn’t saying how many accounts have been affected. Yahoo is the second-largest email service worldwide, after Google’s Gmail, according to the research firm comScore. There are 273 million Yahoo mail accounts worldwide, including 81 million in the US.
Yahoo yesterday said in a blog post on its breach that “The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.” That could mean hackers were looking for additional email addresses to send spam or scam messages. By grabbing real names from those sent folders, hackers could try to make bogus messages appear more legitimate to recipients.
The bigger danger: access to email accounts could lead to more serious breaches involving banking and shopping sites. That’s because many sites use email to reset passwords. Hackers could try logging in to such a site with the Yahoo email address, for instance, and ask that a password reminder be sent by email.
The breach is the second problem for Yahoo’s mail service in two months. In December, the service suffered a multi-day outage that prompted Yahoo CEO Marissa Mayer issue an apology. Yahoo said it believes the usernames and passwords weren’t collected from its own systems, but from a third-party database. It’s not clear why a third-party database would have information on Yahoo accounts.
Yahoo said it is resetting passwords on affected accounts and has “implemented additional measures” to block further attacks. The company would not comment beyond the information in its blog post. It said it is working with federal law enforcement.