Yahoo won't say how many emails hacked

List of usernames and passwords used in attack was likely collected from a third-party database

Feb. 01--A day after Yahoo Inc. said it recently identified a "coordinated effort" to gain unauthorized access to its Yahoo Mail accounts, the nation's second largest email service declined to say how many accounts were affected or how it discovered the problem.

"Because the investigation is ongoing and we are working closely with federal law enforcement, we are not able to share any additional information beyond what we've said publicly," spokeswoman Kate Wesson said yesterday.

The list of email usernames and passwords used to execute the attack likely was collected from a third-party database that was compromised, and malicious software used the list to access Yahoo accounts, the company said in a security update on its blog.

"The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails," Yahoo said in the blog.

That could mean hackers were looking for more email addresses to send spam or scam messages. By grabbing real names from those sent folders, hackers could try to make bogus messages appear more legitimate to recipients.

"It's much more likely that I'd click on something from you if we email all the time," said Richard Mogull, CEO of Securois, a security research and advisory firm.

Yahoo said it took immediate action to protect affected email users, prompting them to reset account passwords.

The breach was the second unsettling episode for Yahoo email users in two months. In December, CEO Marissa Mayer apologized for a major hardware outage that interrupted usage for 1 percent of its accounts.


Herald wire services were used for this report.



Copyright 2014 - Boston Herald