Yahoo states info sought in the attack seems to be names and emails from impacted accounts' most recent sent emails.
In a post on its official Tumblr, Yahoo has confirmed it has identified a "coordinated effort" to gain unauthorized access to Yahoo mail accounts, and upon discovery of the breach, it has reset the user passwords on affected accounts. According to company, the attack was indirect, claiming "the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise," and that it has no evidence data was obtained from Yahoo's systems. It adds that the info sought from the hack seems to be names and email addresses from impacted accounts' sent emails.
The company has outlined the steps it's making to protect users, which you can read below.
- We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account.
- We are working with federal law enforcement to find and prosecute the perpetrators responsible for this attack.
- We have implemented additional measures to block attacks against Yahoo's systems.
While Yahoo hasn't mentioned how many accounts were compromised, it regrets the attack happened, and claims it wants to assure users that the company takes "the security of their data very seriously."
For those affected, you'll be asked to change your password the next time you log in to Yahoo Mail. In the meantime, if you use the same password on multiple sites, make sure to give those a quick change, too, just to be sure.