Still reeling from a major security breach last month, a fresh report claims that hundreds of Yahoo email accounts have been hacked for the fourth time in as many months, raising serious doubts about the email provider’s ability to protect its customer’s accounts from cybercriminals and malicious spam.
The report comes from the UK’s Channel 4 News, which says that dozens of Yahoo users have complained that their email accounts are still being compromised in exactly the same way as they were during last month’s breach. The hackers, who are believed to be based in Russia, employ a technique that exploits a cross-site scripting (XSS) vulnerability in Yahoo’s email service, hijacking dozens of user accounts and using them to distribute spam across the web.
The attacks may have even began as early as January – back then, The Register reported of a similar breach involving the same XSS vulnerability that Yahoo later claimed to have fixed:
“The cross-site scripting vulnerability that we have identified on Friday was fixed the same day,” a Yahoo spokesperson said at the time. “We can confirm that we’ve now fixed the vulnerability on all versions of the site.”
This was followed by the incident in March, during which dozens of Yahoo customers complained of their accounts being hijacked, with spam being sent to their contacts and their passwords changed, locking them out of their accounts.
Speaking to The Register in March, a source from inside Yahoo elaborated on the company’s problems:
“Lots of Yahoo! Mail accounts were broken into last week by computers all over the world. It seems a botnet was used to do it. The hackers might have accessed some of the accounts through Apple iPhone’s Yahoo! Mail app, as account security logs show that as one of the hack entry points.”
Yahoo’s next move was to team up with BT, the UK’s largest telecommunications operator, in an attempt to resolve the problems, yet even now the company is still receiving complaints from its users, who claim their accounts are being hacked again and again.
One user told Channel 4 News:
“My mother’s Yahoo! Mail account has been compromised today 25th April 2013. I am very concerned about this – fortunately I have enough knowledge to know not to click on the link but others in her address book may not. This is not acceptable from companies who are making millions of pounds but are leaving their customers in a very vulnerable position.”
Channel 4 news reports that the hackers are still following the same pattern as with previous breaches, logging into the mobile version of Yahoo’s email client, before immediately logging into the same account through a regular browser, then using the hijacked account to send out spam emails advertising a get rich quick scheme.
In response to these latest complaints, Yahoo blurted out the same statement as it did last March, assuring people that it takes “data protection very seriously”, and will prompt users to alter their passwords if they detect anything suspicious.
However, some users have complained that this solution just isn’t working. At least one person told Channel 4 News that their account was still being accessed even after they had changed their password.
“I changed my password, set up the second stage verification log in and have set up a sign-in seal but still my browser is logged in by someone in the Netherlands as we speak!!”
When questioned by Channel 4 News about whether its security settings were also being bypassed by the hackers, Yahoo refused to comment on the matter.
SiliconANGLE has spent the last two weeks trying to speak to a Yahoo representative about this matter, sadly to no avail. For any seeking assistance to try and mitigate these attacks from happening, read my next post How To Protect Your Yahoo Mail Against Hackers. Alternatively, learn how to switch email providers quickly and easily (keeping all your contacts, old messages, and address intact) in my new post here.