It was widely reported on Thursday evening that Yahoo had experienced a security breach. There’s no way to tell how large the breach was because the only thing that Yahoo is acknowledging is the fact that there was actually a breach.
On Thursday, Yahoo reported that email usernames and passwords were stolen but didn’t say how many of their 273 million yahoo mail accounts were compromised. Yahoo is the second largest provider of free email in the world, behind Google’s GMail. Yahoo email was also introduced significantly earlier than Gmail’s debut, 10 years ago.
Yahoo described the security breach on their blog saying, “The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.”
The perpetrators could have taken those recent sent emails to phish for even more email accounts and usernames. With the names and identities, as well as the context from recent email conversations, the culprits could possibly use that information to craft new emails that may pass off as legitimate to the recipient.
Also, because many high profile web services use email for resetting passwords, the perpetrators could go to other web services like online banking and ask for a password reset which would then go back to the user’s yahoo email account. From there they could reset the passwords themselves and gain control of those accounts.
Yahoo says that the usernames and passwords were compromised by a third party database.
