About 1500 Yahoo!Xtra accounts have been caught up in a fresh cyber attack in the last two days and their email accounts have been frozen until they change their passwords.
Earlier there were concerns hackers may have gleaned passwords and log-ons from customers emails but Telecom spokesperson Jo Jalfon said an old warning had gone up on Telecom's website by mistake.
Yahoo users in Singapore have been warned about spam e-mail that could leave them vulnerable to attacks by hackers.
A government information watchdog has advised them not to click on the links in these messages - even those that are supposedly sent by friends.
The warning was issued last Friday in a bulletin on the website of the Singapore Computer Emergency Response Team (SingCert). It said that there have been reports of spam e-mail from Yahoo accounts containing links to sites selling "work-from-home" schemes and packages.
Telecom has admitted its outsourced YahooXtra email service has been compromised by hackers resulting in some YahooXtra customer accounts being hijacked to send out malicious email. It is advising all YahooXtra customers to change their passwords.
The company initially blamed a deluge of compromised accounts on a successful phishing attack, saying customers were tricked into clicking on scam emails, but has now acknowledged a "second attack" that was outside customers' control.
On Monday, Yahoo told TNW it had plugged a vulnerability in Yahoo Mail that had resulted in email accounts being compromised after users clicked on a malicious link they received in their inboxes. On Tuesday, the information security training and penetration testing firm Offensive Security said it has discovered the vulnerability is still present.
Reports about a malicious link compromising the security of several Yahoo! Mail accounts surfaced yesterday. The Next Web reports that a hacker going by the name Shahin Ramezany uploaded a YouTube video demonstrating how a Yahoo! account can be compromised with a DOM-based XSS vulnerability that can be misused across all major browsers.
A penetration tester has reportedly hacked Yahoo!, claiming to have gained access to website backup and database files for a dozen databases.
The hacker using the handle Virus_Hima published screenshots that showed the purported site backups for a Yahoo! finance subdomain.
The hacker claimed to have accessed the databases via a reflected cross site scripting vulnerability which he told SC was fixed by Yahoo!. He also said he discovered a SQL Injection hole. Virus_Hima disclosed the flaws alleging that Yahoo! had ignored his vulnerability disclosure email.
Attackers can read emails, contacts and other private data from the accounts of Yahoo users who visit a malicious page by abusing a feature present on Yahoo's Developer Network website, according to an independent security researcher.
A limited version of the attack was presented on Sunday at the DefCamp security conference in Bucharest, Romania, by a Romanian Web application bug hunter named Sergiu Dragos Bogdan.
Yahoo is investigating the claims of a hacker who is selling an exploit that apparently hijacks Yahoo mail accounts.
"The exploit, being sold for $US700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users," wrote Brian Krebs, a noted security blogger who reported the illegal offer to Yahoo.
A new exploit being sold for $700 may put tens of millions of Yahoo Mail users at risk.
Once victims click on a malicious email link, the exploit allows an attacker to steal and replace tracking cookies, while remotely controlling the victims' browsing sessions.
In a blog post, Yahoo has said there is a security vulnerability in its JavaScript framework YUI version 2. It does not, though, give a detailed description of the bug. The issue only, now, relates to any project where the developers have hosted their own version of the YUI 2 SWF files (from version 2.4.0 to 2.9.0). Those who have used Yahoo's yui.yahooapis.com CDN or another CDN for YUI 2 or use YUI 3 are not affected by the issue said Yahoo.
We have identified a security vulnerability on self-hosted YUI 2 SWF files.
