Yahoo is resetting passwords for an undisclosed number of Yahoo Mail users after a mass attempt to gain access to the email accounts was made using a list of credentials likely stolen in an attack on a separate entity, the internet corporation announced on Thursday.
In a post to the company's blog, Jay Rossiter, senior vice president of Yahoo's platforms and personalization products, wrote that malware was used in the mass attempt to gain access to accounts, but added there is no evidence the list of credentials was obtained from Yahoo systems.
“We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts,” Rossiter wrote. “Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.”
An investigation is ongoing and Yahoo is working with federal law enforcement to find and prosecute the responsible party, according to the post, which states that added measures are being taken to secure Yahoo's systems against similar attacks.
Sol Cates, CSO with Vormetric, told SCMagazine.com on Friday that credentials stolen in attacks are frequently used by hackers on other services, such as Yahoo, because it is typical for people to reuse the same usernames and passwords across various accounts.
“Looking at the information we can gather so far, it seems that this undisclosed third party had a database of unprotected usernames and passwords, or the attackers found a way to insert themselves into the authentication path to those that are authenticating – which is usually done at the browser/endpoint level,” Cates said.
Speaking on encrypting credentials, Tony Busseri, CEO of digital security and identity management solutions company Route1, told SCMagazine.com on Friday that while it is important for entities to encrypt databases, organizations are still vulnerable because that information must be decrypted at some point in order to be used.
“Fundamentally, unless personnel must have access to the data offline to perform their functions, enterprise data should always remain behind the enterprise firewall,” Busseri said.