Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Hit Yahoo Mail With Mass Account Checker Attack

Yahoo has issued a warning of an attack targeting users of its email service, and is initiating password resets for potentially affected accounts.

Yahoo has issued a warning of an attack targeting users of its email service, and is initiating password resets for potentially affected accounts.

“Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts,” Jay Rossiter, SVP, Platforms and Personalization Products at Yahoo, wrote in a blog post Thursday. “Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.”

According to Rossiter, the list of usernames and passwords that was used to execute the attack was likely obtained from hacking another site and stealing the list of login credentials.

Expert InsightExercising Alternatives to Detect and Prevent Brute Force Attacks

Yahoo Email Accounts Hacked

Yahoo does not believe the list of accounts were obtained directly from Yahoo’s systems, and the company did not elaborate on the extent of the attack or provide any numbers as to how many accounts may have been illegally accessed or how many hack attempts were made.

The attackers appear to be after names and email addresses from the affected accounts’ most recent sent emails, Yahoo said. Such a move could help the attackers build an extended database and conduct personalized attacks appearing to be from the victimized Yahoo email account.

“Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts,” Rossiter noted.

If the attack was done at scale, which it seems it was, it’s likely that the attackers made use of a botnet to execute the attack.

These types of attacks are known as “account checker attacks” and are automated attacks that are commonly used by cybercriminals to hack into user accounts. In these attacks, automated attack tools and account checker scripts are used to determine valid user ID/password combinations.

Automated attacks are nothing new, and security firms have been warning about them for years, though attackers are increasingly using automation in their ongoing attacks.

“Hackers will use brute force attacks to test stolen usernames and passwords from one source to gain access to another say, bank accounts, Facebook pages, Gmail, you name it,” Juniper Networks’ Michael Callahan wrote in a recent SecurityWeek column.

“Password reuse is rampant, even among people who should know better,” Callahan added. “The single point of failure it creates can lead to a data breach from one company causing a major ripple of compromises across many other sites.”

“Most recently, the major loss of usernames and passwords from Adobe caused Facebook and Evernote to prompt users to reset passwords to avoid these attacks,” Callahan said.

In July 2013, Akamai Technologies warned in its State of the Internet Report that it was seeing a rise in account takeover attacks hitting e-commerce companies.

Yahoo said it has implemented additional measures to block attacks against its systems, and that the company is working with federal law enforcement to investigate the attack.

Just over a week ago, Germany’s Federal Office for Online Security warned Internet users that cybercriminals had obtained a list of 16 million email addresses and passwords.

Related Reading: Hackers Just Made Off with Two Million Passwords, Now What?

Expert Insight: Exercising Alternatives to Detect and Prevent Brute Force Attacks

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.