“Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts,” writes the company that is not Google on its Tumblr page. “Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.”
The statement continues:
“Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.”
Yahoo says it is resetting passwords on accounts affected by the breach and requiring secondary sign-in verification for these users to prove they are who they claim to be.
If affected account-holders have associated a wireless number with their account, Yahoo may notify these users by text that they need to change their password.
Yahoo says it is working with (the very busy) federal law enforcement to investigate.
Even if you are not told to reset your Yahoo password, you would be well advised to do so as you’d hate to find out too late that this data breach is larger than initially thought.
And just as a reminder, you should never use the same username/password pairing on multiple sites.