Yahoo said it is resetting passwords for some of its e-mail users after discovering a coordinated effort to compromise accounts.
Attackers behind the cracking campaign used usernames and passwords that were probably collected from a compromised database belonging to an unidentified third party, according to Jay Rossiter, Yahoo senior vice president of platforms and personalization products, who wrote an advisory published Thursday. A large percentage of people use the same password to protect multiple Internet accounts, a practice that allows attackers holding credentials taken from one site to compromise accounts on other sites. There's no evidence the passwords used in the attack came from Yahoo Systems.
"Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts," Rossiter wrote. "The information sought in the attack seems to be names and e-mail addresses from the affected accounts' most recent sent e-mails."