San Francisco — Yahoo alerted users of its free email service Thursday that hackers slipped into accounts to loot information using stolen passwords.
The California company did not disclose the extent of the breach, but said that it is asking those affected to change their passwords.
“Security attacks are unfortunately becoming a more regular occurrence,” Yahoo senior vice president for platforms and personalization products Jay Rossiter said in a blog post.
“We regret this has happened and want to assure our users that we take the security of their data very seriously.”
A malicious computer program armed with Yahoo Mail passwords and usernames apparently slipped into accounts aiming to glean names and addresses from messages that had been sent, according to Rossiter.
Yahoo recently discovered the invasion and suspected that the passwords were snatched from a third-party database that the company did not disclose.
“We have no evidence that they were obtained directly from Yahoo’s systems,” Rossiter said.
Yahoo said it was working with federal authorities to investigate the breach.
What can the users do?
The company is resetting passwords on accounts that have been affected and is taking steps to allow users to re-secure their accounts. It is sending notification e-mails instructing those users to change their passwords; users may also receive a text message, if they’ve shared their phone number with the company.
It’s a song-and-dance that users may be tiring of, but it is important for Yahoo account holders who were swept up in the attack to change their passwords for immediately.
They should also change their log-in credentials for any account that may share their Yahoo password, particularly if they use their Yahoo e-mail as their username. The same is true if you use a similar e-mail address as the username — it’s not a big leap for hackers to think that you may be both firstname.lastname@example.org and email@example.com.
Finally, everyone should also be on the lookout for spam, as the attack also appears to have picked up names and e-mail addresses for the most recent contacts from affected accounts, according to the company’s post.
If you get an odd e-mail from the Yahoo account of someone you know, ignore the message, and do not click on any links in the message. (It’s also be nice to let the person whose account has been hacked know about the fraudulent messages, so they can warn others to avoid the e-mails.)