Yahoo Users whose accounts have been compromised with a mobile login get an email with the title
Yahoo! Sign-in Alert
This contains a statement similar to:
We detected a login attempt with valid password to your Yahoo! account (......) from an unrecognised device on Thu, Apr 25, 2013 07:32 CEST. Location: Hungary (IP=188.8.131.52).
Can anyone confirm that a valid password was used as I have reason to believe that in this form of hijack the hijacker does not have access to the password. For example has anyone evidence that the account was further compromised by the password being changed or other mischief.
Note that further compromising has been done with other forms of hijacking.
As the email hacking incident appears to be unsolved I think it would be useful to summarise the most interesting conclusions I have reached in my investigations.
While it is clear that accounts have been compromised by several methods the predominant mechanism for the accounts for March-May period seem to be by the use of applications that have become attached to yahoo accounts.
Accounts that are low usage also seem to have been particularly targetted.
It is also clear that the compromising did not involve the owner doing anything wrong.
The indications are that the hacker did not actually get hold of the account password but was able to access the account nevertheless.
The above suggests one of two things:
A) This is an inside job by someone at Yahoo ( eg how does the hacker know the account is low usage ?)
OR more likely
B) There is a flaw in the way applications can get attached to Yahoo accounts or in the application that allows a backdoor login to the account.
Note that hacking techniques such as session hijacking, cookie stealing, hotel and internet cafe compromising, while still usable do not appear to be involved in this attack.