I've been dubious of trusting Yahoo since its ill-advised decision to start recycling email addresses. While my criticism of that decision was theoretical, my colleague Wayne Williams experienced this ineptitude in practice.
Sadly, recycling emails is not the only blemish on the service. Today, Yahoo announces that the email accounts of some users have been compromised. In other words, the company has joined a special club that includes Target and Michaels, with users feeling anxious and violated.
"Security attacks are unfortunately becoming a more regular occurrence. Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts", says Jay Rossiter, SVP, Yahoo.
Rossiter further explains, "the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails".
What is particularly troubling to me are two things from the statement -- "likely" and "third-party database". The word "likely" means the company isn't sure what happened, which is disappointing. However, the real question is, why would a third party be storing the credentials of Yahoo users? When a user establishes a username and password with Yahoo, the expectation is that it is not shared outside of Yahoo. The company has some explaining to do.
Yahoo is doing the following things to protect the affected users:
Sadly, recycling emails is not the only blemish on the service. Today, Yahoo announces that the email accounts of some users have been compromised. In other words, the company has joined a special club that includes Target and Michaels, with users feeling anxious and violated.
"Security attacks are unfortunately becoming a more regular occurrence. Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts", says Jay Rossiter, SVP, Yahoo.
Rossiter further explains, "the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails".
What is particularly troubling to me are two things from the statement -- "likely" and "third-party database". The word "likely" means the company isn't sure what happened, which is disappointing. However, the real question is, why would a third party be storing the credentials of Yahoo users? When a user establishes a username and password with Yahoo, the expectation is that it is not shared outside of Yahoo. The company has some explaining to do.
Yahoo is doing the following things to protect the affected users:
- We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.
- We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.
- We have implemented additional measures to block attacks against Yahoo’s systems.
