Yahoo Announces (Sort of) an E-Mail Hack

Yahoo headquarters in Sunnyvale, California on Jan. 1 Photograph by Kristoffer Tripplaar/Sipa USA via AP Photo

Yahoo! yesterday informed customers that it had discovered a hack into their e-mail accounts. But the announcement, made in a blog post, isn’t particularly illuminating.

As if at first addressing a general problem, the post opens with: “Security attacks are unfortunately becoming a more regular occurrence.” OK, yeah. It continues with vaguer terms. The company “recently,” it says, identified an “effort” to gain “unauthorized access” to Yahoo e-mail accounts. Perhaps the company was trying to break it to you gently, but it’s only in the second paragraph that Yahoo says it was a lot more than an effort.

In fact, the hack yielded a list of usernames and passwords for Yahoo-based e-mail accounts and sought the names and addresses to which that account had most recently sent messages.

So what do we know? We know that Yahoo e-mails were compromised, and the company says it’s protecting customers by resetting passwords.

There’s some blame-shifting: According to Yahoo, it looks as if the list of usernames and passwords was collected from “a third-party database” and not obtained directly through a compromise of the company’s own systems.

We also know that Yahoo is working with federal law enforcement to find those responsible for the attack, and that Yahoo is sorry about all this: “We regret this has happened and want to assure our users that we take the security of their data very seriously.”

This isn’t the first time Yahoo e-mail account information has been stolen. In July 2012, some 450,000 accounts were compromised, CNN reported at the time.

Customers are left with a lot of questions. Yahoo isn’t saying how many accounts were compromised or whether there’s evidence that the hackers got access to other data residing in customer e-mail accounts. How much more sensitive information that Yahoo is nominally protecting is actually outside its walls in third-party databases? And is there anything Yahoo can change, besides your password, to stop such a breach from happening again?

    Before it's here, it's on the Bloomberg Terminal.