JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Yahoo email account passwords stolen

Date

Zoom in on this story. Explore all there is to know.

A new Yahoo! logo will be unveiled on September 4.

A new Yahoo! logo will be unveiled on September 4. Photo: Getty Images

Yahoo says usernames and passwords of its email customers have been stolen and used to access accounts, but the company isn't saying how many accounts have been affected.

The company said in a blog post Thursday that "The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails."

"Security attacks are unfortunately becoming a more regular occurrence," Yahoo senior vice president for platforms and personalisation products Jay Rossiter said in the blog post.

"We regret this has happened and want to assure our users that we take the security of their data very seriously."

A malicious computer program armed with Yahoo Mail passwords and usernames apparently slipped into accounts aiming to glean names and addresses from messages that had been sent, according to Rossiter.

Yahoo recently discovered the invasion and suspected that the passwords were snatched from a third-party database that the company did not disclose.

"We have no evidence that they were obtained directly from Yahoo's systems," Rossiter said.

Yahoo said it was working with federal authorities to investigate the breach.

The company says it is resetting passwords on affected accounts and has "implemented additional measures" to block further attacks.

The company would not comment beyond the information in its blog post. It says it is working with US federal law enforcement.

It said: "We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account."

A spokesman for Yahoo!7 said the breach was a global issue. Australian users should change their passwords as soon as possible "making sure it's not similar to the old one".

He said users should change passwords regularly: "it's an education process".

The breach comes two months after researchers found personal data of a reported 152 million Adobe users online, following a massive security breach of Adobe's cloud services. Facebook followed that finding with a warning to its own users.

AP, AFP

6 comments

  • Yahoo have been slack in their programming methods for this to be an issue. ALL PASSWORDS should be stored as an MD5 encryption, this is a 1 way encryption that cannot be deciphered and it makes it impossible for hackers to access the accounts because they don't have the unencrypted password. When logging on the system encrypts the password entered by the user and compares it to the stored encrypted password to authorise access, if the stolen encrypted password is entered to logon it would be encrypted again and when compared to what is stored it would not match. The companies who do not encrypt passwords should be fined and forced to use industry best practices.

    Commenter
    JHP
    Location
    Colac
    Date and time
    January 31, 2014, 12:41PM
    • "ALL PASSWORDS should be stored as an MD5 encryption"

      No they shouldn't. MD5 was deemed "cryptographically broken and unsuitable for further use" in December 2008. The minimum level of encryption should be SHA-2.

      Commenter
      Mike
      Date and time
      January 31, 2014, 1:59PM
    • Oh JHP. How wrong you are.
      I sincerely hope you don't work in IT. Or are just nerd sniping. Either way. Your lack of knowledge on the topic is displeasing considering the self-assured tone your writing in. Might I direct you to the security.stackexchange network where you can learn about modern password hashing security? security.stackexchange.com/questions/211/how-to-securely-hash-passwords
      The key point; "MD5 is broken: it is computationally easy to find a lot of pairs of distinct inputs which hash to the same value. These are called collisions."
      Regards,

      Commenter
      NOPENOPENOPE
      Date and time
      January 31, 2014, 2:00PM
    • "Best practice" also includes reading the whole report, not jumping to conclusions based on preliminary data eg headlines.

      "Yahoo said the usernames and passwords weren't collected from its own systems, but from a third-party database.

      Because so many people use the same passwords across multiple sites, it's possible hackers broke in to some service that lets people use email addresses as their usernames. The hackers could have grabbed passwords stored at that service, filtered out the accounts with Yahoo addresses and used that information to log in to Yahoo's mail systems"

      Commenter
      peterh_oz
      Date and time
      January 31, 2014, 2:00PM
    • Refer to http://dev.mysql.com/doc/refman/5.0/en/user-names.html and it explains in greater detail how a Password is stored as an encrypted field in a MySQL database. I acknowledge that the method of encryption has been bolstered but that doesn't change the fact that proper encryption and the use of strong password make it much harder for this type of hacking to yield results. You would be amazed how many major companies use logon code on windows servers with major vulnerabilities that they have copied from Microsoft's website. Why would you just filter out Yahoo mail accounts? If Yahoo excuse that the account details were downloaded from a third party site is correct you would think that the hacker would also have enough info to access email accounts at gmail, Hotmail and other popular email providers.

      Commenter
      JHP
      Location
      Colac
      Date and time
      January 31, 2014, 6:24PM
  • "the bad guys"..."We're clearly under attack"...don't you just love the American world-view?!

    Commenter
    Tadbitter
    Date and time
    January 31, 2014, 1:29PM
    Comments are now closed
    This Column is advertiser content
    Advertisement
    Featured advertisers
    Advertisement