Yahoo announced late on Jan. 30 that its widely used consumer mail service was attacked recently.
“Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts,” Jay Rossiter, senior vice president of Platforms and Personalization Products at Yahoo, wrote in a Tumblr blog post. “Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.”
According to Rossiter, the Yahoo Mail usernames and passwords were not stolen directly from Yahoo; rather, they were obtained via a compromise of a third-party database.
The Yahoo Mail attack appears to be another example of the types of larger multistage campaigns that are becoming more common, Harry Sverdlove, CTO at Bit9, told eWEEK. The big question for Sverdlove is why the attackers went after Yahoo Mail.
“This is not like stealing credit card information or something with direct financial value,” Sverdlove said. “What does an attacker gain from a large number of email accounts? Such information is valuable when viewed as part of a bigger campaign.”
Sverdlove said that control of an email account could potentially be used as a way to conduct a phishing attack and to spread malware. The bottom line for him is that the stolen email addresses are not the ultimate target—something bigger is looming on the horizon. That said, thanks to Yahoo’s quick action, the ultimate target may never be revealed publicly.
One particular area to highlight in the Yahoo Mail breach is that it wasn’t Yahoo itself that gave up the username and password information.
“The mantra the security industry is always pushing on end users of ‘Never use the same password across multiple sites’ has shown here to be good advice,” Erik Cabetas, managing partner at Include Security, told eWEEK. “From what Yahoo has released so far, simply having a different password from whatever site was breached would have protected users from this.”
The message of password reuse security is one that Hord Tipton, executive director of the International Information System Security Certification Consortium (ISC2), echoes.
“Diversifying your passwords for each account is essential to protecting all of your online information,” Tipton said. “Once a password has been stolen, hackers often attempt to access multiple accounts, compounding the potential damage.”
Tipton also suggests following best practices for password use overall, including having a password of at least eight characters, using a combination of alphanumeric characters and changing each password every 60 to 90 days. It is also imperative that users do not reuse old passwords or use the same password for multiple accounts.
The use of two-factor authentication is also a good best practice, according to Cabetas, and such practice would have limited user risk in the Yahoo Mail breach. Yahoo has offered two-factor authentication since December 2011, and any users with two-factor authentication enforced wouldn’t have been compromised by this attack campaign.
Roger Thompson, chief emerging threat researcher at ICSA Labs, noted that the Yahoo Mail attack is another example of no matter how complex and unique your passwords are, they can no longer protect you.
“Password breaches are, regrettably, part of the fabric of the Internet now. In other words, they are a given,” Thompson said. “Until organizations move from passwords to stronger forms of authentication like universal identity solutions, everyone should adopt a one-password-per-site policy, leveraging tools for password management.”
Overall, though breaches are never a positive event, Yahoo’s actions and response are being seen in a positive light.
“While no timetable or scope of the attack has yet to disclosed by Yahoo, it does appear that Yahoo’s team did a great job of detecting the attack and taking appropriate action with the remediation and public notification,” Cabetas said. “From what we know so far, it looks like they’ve done a stellar job at protecting their users in this case.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.