Attacks/Breaches
1/31/2014
09:40 AM
100%
0%

Yahoo Mail Passwords: Act Now

Yahoo suffers hack attack, eyes third-party database and reused credentials as likely culprits, may enforce two-factor authentication to help users recover accounts.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Yahoo said it reset passwords for an unspecified number of accounts after detecting an unfolding hack-attack campaign.

"Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts," said Jay Rossiter, who's in charge of Yahoo's platforms and personalization products, in an "important security update for Yahoo Mail users" blog post. Some related notifications, however, have yet to be made.

To help users recover their accounts, Yahoo said it may force users to employ second sign-in verification -- its version of two-factor authentication -- which sends a six-digit code via SMS to a user's registered mobile phone number, provided they have one on file.

According to Litmus email analytics, Yahoo Mail comprises 5% of the world's email clients. In terms of market share -- across desktops, mobile clients, and webmail -- that makes Yahoo Mail the world's eighth most popular email client, trailing iOS Mail clients (38%), Outlook (14%), Android (12%), Apple Mail (8%), Gmail (6%), and Outlook.com (6%), but placing it ahead of Windows Live Mail (3%) and Windows Mail (2%).

[Can you protect your data on the road? Data Security: 4 Questions For Road Warriors.]

Yahoo said there's no evidence that the recent account-hijacking campaign resulted from attackers stealing credentials from Yahoo itself. Rather, whoever's behind the attack appears to have harvested the usernames and passwords from another site, meaning that Yahoo victims likely reused usernames and passwords across multiple sites. "Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise," Rossiter said. "Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails."

He added: "We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack."

Who hijacks email accounts? Criminals may hack into accounts to harvest legitimate names and email addresses to target with phishing attacks or to run scams. One well-worn ruse involves an urgent appeal for funds sent under an email account owner's name to everyone in his or her address book. The message claims, for example, that the account owner was mugged in London and a hotel is holding his or her passport ransom until the bill is settled in cash. "Kindly help me send the money via Western Union Money Transfer to my name and hotel address below," the message reads.

Yahoo's account-takeover warning is thus a heads-up, not just for users to beware account takeovers, but for anyone who receives an email sent via Yahoo. "I'd... recommend being wary of any odd email messages from friends with Yahoo accounts that send you links or attachments in the next few days," said Chris Mohan at the Internet Storm Center.

How can Yahoo users better avoid account takeovers altogether? According to Yahoo's tips for safeguarding its accounts, the company recommends that all account users "add an alternate email address and mobile number to your account," which can be used to receive a password reset, in the event that the account has been compromised.

Also never reuse the same password across multiple sites. "If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place -- perhaps via a phishing attack or keylogger -- and then hackers using it to unlock your other online accounts," said Graham Cluley, an independent security researcher, in a blog post.

Instead, use a password manager to generate strong passwords -- think long and random -- and then store those passwords. Modern password managers will keep your password database synchronized across PCs, mobile devices, and the cloud.

So many people still reuse passwords, however, that some companies, such as Facebook, have begun testing public dumps of usernames and passwords to see if they unlock any of their users' accounts. If so, the company can lock affected accounts and force users to pick a new password.

Beyond never reusing passwords, for optimum account security Yahoo users should also activate the aforementioned second sign-in verification, which Yahoo first introduced in 2011. Once activated, the two-factor verification system will send a six-digit code via SMS to the mobile phone number on file anytime it sees a login attempt -- with a valid username and password -- from a new system. Without that code, would-be attackers can't access the account.

For access to Yahoo email via any non-Yahoo application, meanwhile, the company also offers one-time codes. "Certain applications -- for instance, iOS Mail, Android Mail, and Outlook -- don't support Yahoo's second sign-in verification," Cluley said. "For those, you will need to generate one-time passwords, separate from the one you use on your Yahoo account."

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/31/2014 | 10:20:38 AM
Just one password?
If I have to create a really long password to ues a password manager, why not just use that really long password for every site instead of having a password manager in the first place?
krassofnod
50%
50%
krassofnod,
User Rank: Apprentice
1/31/2014 | 11:10:42 AM
Re: Just one password?
because if you use a single passwrod for everything if that password gets hacked anywhere, the hacker has access to everything
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/31/2014 | 11:12:10 AM
Re: Just one password?
But wouldn't that happen if a hacker hacked my password manager password too?
krassofnod
50%
50%
krassofnod,
User Rank: Apprentice
1/31/2014 | 11:22:28 AM
Re: Just one password?
yes which is why i don't use it either, I just memorize 10 different crazy difficult passwords and change them ever 2-3 months
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
1/31/2014 | 11:31:54 AM
Re: Just one password?
I can't tell if you're being sarcastic. If you're not, I salute your dedication to password hygenie (and your memory!)
krassofnod
50%
50%
krassofnod,
User Rank: Apprentice
1/31/2014 | 11:38:39 AM
Re: Just one password?
honestly no sarcasm intended and thank you
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Apprentice
1/31/2014 | 12:01:13 PM
Re: Just one password?
krass, 

Just wow! I should follow your example on password dedication. I think I have become a little lazy about passwords lately. 

-Susan
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Apprentice
1/31/2014 | 3:30:27 PM
Re: Just one password?
Does anyone else get a bit numb to these warnings? I know I should change my password, I believe this is true, but ... 
Laurianne
0%
100%
Laurianne,
User Rank: Apprentice
1/31/2014 | 3:47:40 PM
Re: Just one password?
Chris is right. Password fatigue is a big deal. And if you're thinking, who's still using Yahoo Mail, I saw someone using AOLmail on a plane the other day. No joke.
anon7244892334
100%
0%
anon7244892334,
User Rank: Apprentice
1/31/2014 | 4:44:36 PM
Re: Just one password?
What's so shocking about someone using AOL mail?  It's reliable, doesn't have hacking issues, and filters spam well.  Seems like a smart service to use.
anon7244892334
100%
0%
anon7244892334,
User Rank: Apprentice
1/31/2014 | 4:47:27 PM
Re: Just one password?
Yes of course, but the probability that someone will hack your password manager versus hacking any of a multiple of sites/accounts where you're using the same UN/PW is substantiall lower.  The likely culprit in this case of Yahoo was probably not a very secure site.
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Apprentice
1/31/2014 | 6:37:16 PM
Re: Just one password?
anon, 

"The likely culprit in this case of Yahoo was probably not a very secure site."

Exactly. Yahoo! Mail has never been secure. It has had plenty of hacking problems. I am not surprised about this new one at all. 

-Susan
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Apprentice
1/31/2014 | 12:25:55 PM
Re: Just one password?
Drew, 

What makes you think that using just one password is better than a password manager? 

-Susan
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/31/2014 | 5:01:29 PM
Re: Just one password?
I'm not sure it's better, but if I need to create an insanely complex password to protect my password manager, why not just use that insanely complex password everywhere and save myself the trouble of the password manager?
AmericanPrivacy
100%
0%
AmericanPrivacy,
User Rank: Apprentice
1/31/2014 | 10:30:42 AM
Still think your free email is free? Think again
So News has broke that Yahoo emails have been compromised. This does not surprise me in the least. Did you know that Google, Yahoo, Hotmail, AOL and other service providers are scanning, analyzing and categorizing your emails every day? As a result, these numerous providers are pleased to give you a "free" email service because they generate large revenues for themselves through the selling of your personal information to third parties! That's right third parties! Exactly who yahoo is blaming for this data breach!!
100% Privacy guaranteed. At americansrighttoprivacy.com you will remain anonymous as we DO NOT and WILL NOT copy, scan, or sell any of your content. Our email service is 100% privacy guaranteed. Privacy is not only a human right but also required to survive in a competitive business environment. We are very serious about protecting your electronic communications and due to the strict restrictions of the U.S. Patriot Act for law abiding citizens, we cannot align ourselves with servers located in the United States. Therefore, our servers are located in Switzerland where strong data privacy laws do not abide by the U.S. Patriot Act.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
1/31/2014 | 1:06:50 PM
Password managers
I'm sure most people are aware that they shouldn't be using the same password for multiple sites, but it's a cumbersome habit to break. The article recommends using a password manager. Which are your favorites?
Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Apprentice
1/31/2014 | 4:36:26 PM
Re: Password managers
I don't trust that a password manager can't be hacked. So I continue on in the living hell that is memorizing passwords and keeping them on a piece of paper hidden in my house. 
jgherbert
50%
50%
jgherbert,
User Rank: Apprentice
1/31/2014 | 9:51:24 PM
Re: Password managers
@Shane M. O'Neill:

"I don't trust that a password manager can't be hacked. So I continue on in the living hell that is memorizing passwords and keeping them on a piece of paper hidden in my house. "

That's _so_ 1980s. Anybody with any self respect would use Post-Its stuck to their monitor, surely?

I must confess that I am about at explosion point with passwords, especially with every site having different requirements for password strength. SSO has issues but I gotta tell you, right now I am all about some kind of federated SSO across web sites. 

I do use a password manager by the way, but there isn't a single product that I've yet found that works consistently across (in my case), windows, linux, OSX and iOS, and integrates with the web browser so that I don't have to jump between applications all the time to find and then paste in a password. Especially on a smartphone that's a huge pain.

 
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Apprentice
1/31/2014 | 6:26:00 PM
Re: Password managers
Kristin, 

I can see how the habit of using the same password for multiple sites could have started for many.

If you have to sign in to ten, or more sites daily you may well forget some of the passwords. One password for all can solve the problem. It brings others, as we know. 

Chrome offers the option of remembering passwords. I choose this option to certain sites. Some other times I ask for a new password. This is handy for sites I don't use frequently. It's faster and easier than trying to remember a password I use a few times a year. 

For the important passwords I don't use a password manager at the moment. I have a password formula. 

-Susan 
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
2/1/2014 | 9:20:08 AM
Re: Password managers
I choose the option to have my browser remember most of my passwords, too. But it's the worst when you're required to clear cookies and other settings for some reason and all your passwords are cleared. Password hell all over again.
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
2/3/2014 | 1:45:14 AM
Re: Password managers
The best practice to my experience is using the same password with sufficient complexity for all your internet accounts. This sounds nothing new but sometimes it's difficult to handle it in this way due to various constraints from different web sites. Furthermore, I normally chose not let web browser to remember my password - it does not take me long to enter the password everytime and it helped me to remember it. 
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Apprentice
2/3/2014 | 6:00:59 AM
Re: Password managers
Kristin, 

"I choose the option to have my browser remember most of my passwords, too. But it's the worst when you're required to clear cookies and other settings for some reason and all your passwords are cleared. Password hell all over again."

I know! I went through password hell this past weekend. I had to reset my FB password, which is always easier that trying all the password formula alternatives and all the possible combinations I can think of I used for a FB password.

I am still waiting one my online libraries to send me a new password. :( 

-Susan

 
M_Gordon
50%
50%
M_Gordon,
User Rank: Apprentice
2/3/2014 | 1:08:32 PM
Re: Password managers
Kristin,

You should check out LastPass, it's a really useful password manager. It allows to use many different and strong passwords without having to remember each one. They also have an security add-on option, Toopher, which adds another layer of security to each of your accounts in LastPass. It's extremely user friendly and uses location awareness of your smartphone to automate the authentication process. Check out this video, it helped me better understand what Toopher does. http://www.youtube.com/watch?v=k78xDTpy7PU
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-7194
Published: 2014-11-20
TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive information or modify data by leveraging agent access.

CVE-2014-7195
Published: 2014-11-20
Spotfire Web Player Engine in TIBCO Spotfire Web Player 6.0.x before 6.0.2 and 6.5.x before 6.5.2, Spotfire Deployment Kit 6.0.x before 6.0.2 and 6.5.x before 6.5.2, and Silver Fabric Enabler for Spotfire Web Player before 1.6.1 allows remote authenticated users to obtain sensitive information via u...

CVE-2014-8000
Published: 2014-11-20
Cisco Unified Communications Manager IM and Presence Service 9.1(1) produces different returned messages for URL requests depending on whether a username exists, which allows remote attackers to enumerate user accounts via a series of requests, aka Bug ID CSCur63497.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?