San Francisco — Yahoo alerted users of its free email service Thursday that hackers slipped into accounts to loot information using stolen passwords.
The California company did not disclose the extent of the breach, but said that it is asking those affected to change their passwords.
“Security attacks are unfortunately becoming a more regular occurrence,” Yahoo senior vice president for platforms and personalization products Jay Rossiter said in a blog post.
“We regret this has happened and want to assure our users that we take the security of their data very seriously.”
A malicious computer program armed with Yahoo Mail passwords and usernames apparently slipped into accounts aiming to glean names and addresses from messages that had been sent, according to Rossiter.
Yahoo recently discovered the invasion and suspected that the passwords were snatched from a third-party database that the company did not disclose.
“We have no evidence that they were obtained directly from Yahoo’s systems,” Rossiter said.
Yahoo said it was working with federal authorities to investigate the breach.
What can the users do?
The company is resetting passwords on accounts that have been affected and is taking steps to allow users to re-secure their accounts. It is sending notification e-mails instructing those users to change their passwords; users may also receive a text message, if they’ve shared their phone number with the company.
It’s a song-and-dance that users may be tiring of, but it is important for Yahoo account holders who were swept up in the attack to change their passwords for immediately.
They should also change their log-in credentials for any account that may share their Yahoo password, particularly if they use their Yahoo e-mail as their username. The same is true if you use a similar e-mail address as the username — it’s not a big leap for hackers to think that you may be both [email protected] and [email protected]
Finally, everyone should also be on the lookout for spam, as the attack also appears to have picked up names and e-mail addresses for the most recent contacts from affected accounts, according to the company’s post.
If you get an odd e-mail from the Yahoo account of someone you know, ignore the message, and do not click on any links in the message. (It’s also be nice to let the person whose account has been hacked know about the fraudulent messages, so they can warn others to avoid the e-mails.)
According to an Adobe data analysis, “123456” was the most popular password among its millions of users.
Recently, Adobe users’ details were stolen during an attack on the company.
About 1.9 million people used “123456” sequence, according to analysis of data lost in the leak.
Online copies of the data have let security researchers find out more about users’ password-creating habits.
The analysis suggests that many people are making it easy for attackers by using easy-to-guess passwords.
On October 4, Adobe reported that its systems had been penetrated by attackers who had stolen the online credentials for millions of its users.
Early reports suggested about 2.9 million records had been compromised.
On October 30, this figure was revised; with Adobe saying information about 38 million active users had gone astray.
In total, information about more than 150 million accounts was stolen – but many of the other accounts were disused, abandoned or duplicates.
Adobe has now shut down all the compromised accounts, saying it will only reopen them once passwords have been changed.
Adobe users’ details were stolen during an attack on the company
Copies of the data that was exposed by the breach have begun circulating online and inspired security researcher Jeremi Gosney to go through it working out which password was most popular.
Top of the list, with 1.9 million entries, was the “123456” string of numbers. Second was the slightly longer “123456789” sequence.
Other popular easy-to-guess passwords included “adobe123”, “qwerty” and “password”.
Jeremi Gosney said the results of the analysis should be treated with caution because, so far, no-one had access to the keys that Adobe used to encrypt the data.
However, he added, flaws in the way Adobe had stored and encrypted passwords along with clues in the giant file of data had made it possible to draw up a list that he was “fairly confident” was accurate.
Computer security researchers who study password-creating habits have also seized on the data dump as a way to refine the word lists they use to attack login systems in a bid to make them more secure.
Lists of passwords and email addresses are a boon to attackers not just because they can be used to get access to the systems they were supposed to secure. Many people re-use the same password for different services potentially giving attackers a way into other networks.
Top 20 passwords