Hacking of Yahoo webmail is not a new thing for most of us, but the attacks have become just more aggressive from the past few weeks. Just last week, several Yahoo mail accounts were broken into, at al global level, leading to disruption of users’ privacy. While the users were complaining that their webmail accounts have been hijacked, Yahoo blamed cross-site scripting security bugs for the upsurge in webmail account takeovers. The customers even complained that their contacts have been spammed and their passwords changed so they are locked out of their account.

To cope with the hijack incidents, Yahoo has partnered with British multinational telecommunications services company BT. A thread on the BT support forum, running to many pages, and the posts on a broadband support forum both suggest that Yahoo! webmail hijack problems flared up last weekend.

Talking about the Yahoo’s problems, a tipster told The Register,

“Lots of Yahoo! Mail accounts were broken into last week by computers all over the world. It seems a botnet was used to do it. The hackers might have accessed some of the accounts through Apple iPhone’s Yahoo! Mail app, as account security logs show that as one of the hack entry points.”

The major series of attacks on Yahoo webmail started in January and are still continuing. The company is not only getting reports from individual Yahoo users about their accounts getting hacked, but a spike can also be seen in traffic from Google, representing a rise in users realizing their inboxes have been hijacked after hackers send out a bunch of emails from already compromised accounts.

Taking corrective action back in January, Yahoo! said that it had squashed a cross-site scripting (XSS) vulnerability in its webmail service which was blamed for a spate of account hijackings. The compromised accounts were used to send spam. Here’s what Yahoo said that time,

“The cross-site scripting vulnerability that we identified on Friday was fixed the same day. We can confirm that we’ve now fixed the vulnerability on all versions of the site.”

Again in February, security firm BitDefender warned of an apparently separate attack aimed at harvesting Yahoo! webmail account cookies that relied in part on a buggy version of WordPress on Yahoo! Developers Blog, malicious JavaScript and cross-site scripting flaws.

We asked about the repeated attack, Yahoo did not respond clearly and just said that it was an XSS problem. Again, they did not confirm if it was the same problem it told us it had squashed in January.

“The XSS flaws reported to Yahoo! have been fixed and we continue to aggressively investigate reports of any email accounts exhibiting anomalous behaviour. We’re committed to protecting our users and their data. We strongly urge our users to change their passwords frequently and to use unique, alphanumeric passwords for each online site they visit.”