Security Experts:

Hackers Hit Yahoo Mail With Mass Account Checker Attack

Yahoo has issued a warning of an attack targeting users of its email service, and is initiating password resets for potentially affected accounts.

“Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts,” Jay Rossiter, SVP, Platforms and Personalization Products at Yahoo, wrote in a blog post Thursday. “Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.”

According to Rossiter, the list of usernames and passwords that was used to execute the attack was likely obtained from hacking another site and stealing the list of login credentials.

Expert InsightExercising Alternatives to Detect and Prevent Brute Force Attacks

Yahoo Email Accounts Hacked

Yahoo does not believe the list of accounts were obtained directly from Yahoo’s systems, and the company did not elaborate on the extent of the attack or provide any numbers as to how many accounts may have been illegally accessed or how many hack attempts were made.

The attackers appear to be after names and email addresses from the affected accounts’ most recent sent emails, Yahoo said. Such a move could help the attackers build an extended database and conduct personalized attacks appearing to be from the victimized Yahoo email account.

“Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts,” Rossiter noted.

If the attack was done at scale, which it seems it was, it’s likely that the attackers made use of a botnet to execute the attack.

These types of attacks are known as “account checker attacks” and are automated attacks that are commonly used by cybercriminals to hack into user accounts. In these attacks, automated attack tools and account checker scripts are used to determine valid user ID/password combinations.

Automated attacks are nothing new, and security firms have been warning about them for years, though attackers are increasingly using automation in their ongoing attacks.

“Hackers will use brute force attacks to test stolen usernames and passwords from one source to gain access to another say, bank accounts, Facebook pages, Gmail, you name it,” Juniper Networks’ Michael Callahan wrote in a recent SecurityWeek column.

“Password reuse is rampant, even among people who should know better,” Callahan added. “The single point of failure it creates can lead to a data breach from one company causing a major ripple of compromises across many other sites.”

“Most recently, the major loss of usernames and passwords from Adobe caused Facebook and Evernote to prompt users to reset passwords to avoid these attacks,” Callahan said.

In July 2013, Akamai Technologies warned in its State of the Internet Report that it was seeing a rise in account takeover attacks hitting e-commerce companies.

Yahoo said it has implemented additional measures to block attacks against its systems, and that the company is working with federal law enforcement to investigate the attack.

Just over a week ago, Germany's Federal Office for Online Security warned Internet users that cybercriminals had obtained a list of 16 million email addresses and passwords.

Related Reading: Hackers Just Made Off with Two Million Passwords, Now What?

Expert Insight: Exercising Alternatives to Detect and Prevent Brute Force Attacks

Subscribe to the SecurityWeek Email Briefing
view counter