A list of Yahoo Mail usernames and passwords was obtained via a compromised third party database, impacting an unspecified number of users, according to an announcement on Thursday.
This security breach comes at a critical time for Yahoo after its revenue dropped 6 percent in the fourth quarter of 2014, causing its shares to fall 7.5 percent on Wednesday.
According to an announcement by Yahoo, it has changed the passwords of affected users, and is using “second sign-on verification to allow users to re-secure their accounts.”
Yahoo is working with federal law enforcement in its investigation on the attack, and has implemented “additional measures” to block attacks against its systems.
“We have no evidence that they were obtained directly from Yahoo’s systems,” Jay Rossiter, SVP, Platforms and Personalization Products said in a Tumblr post. “Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.”
This is the latest issue for Yahoo Mail, which came under fire last month for an outage that lasted up to a week for many users. Users were unable to sign-in to their email accounts for the duration of that outage in December, and Yahoo struggled to communicate the issue with its customers until the outage had been resolved.
Yahoo Mail has around one hundred million daily users (according to a recent report by PCMag) so even if a small percentage were affected by the breach, it is still significant. Yahoo made many investments in its email service last year, including a partnership with Dropbox for users to more effectively manage email attachments.
Like web hosting, email is an essential service to many users, and there is a low tolerance for downtime, as evidenced recently by Gmail’s hour-long outage last week.