Users resetting their Yahoo! passwords might also want to check the list of authorized apps and devices, because iOS Mail will continue to have access to the account even after a password reset, researchers discovered.
Last week, Yahoo! confirmed that 500 million accounts were impacted in a security attack dating back to 2014, and also prompted users to reset their passwords to ensure that the attackers can’t access their accounts. The company said at the time that the attack was state-sponsored, but researchers believe that the data is in the hands of cybercriminals who already monetized it.
Users possibly impacted by the data breach were prompted to change their Yahoo! passwords, but Zero Day Initiative (ZDI) researcher Simon Zuckerbraun has discovered that this action isn’t enough to secure a compromised account. After resetting his password when notified, he discovered that the iOS Mail app on his iPhone, which had been configured for Yahoo! mail, was still connected to the account and could access its content.
The problem, Trend Micro explains, is that Yahoo! had issued a permanent credential to the device, one that wasn’t revoked upon password reset. Thus, the application continued to be authorized, even if it wasn’t supposed to be.
“In other words, if someone already obtained access to your account and configured the iOS Mail app to use it, they would still have access to the account even after the password changes. What’s worse is that you would likely not even realize someone still has access to your email,” Trend Micro says.
While that is concerning, any "new" attacks from other devices or remote webmail logins using the old credentials would not work.
Another issue is that Yahoo! hasn’t informed users that, after changing their passwords, they should take additional steps to secure their accounts. “This could lead to a situation where millions believe they are protected even though they aren’t,” Trend Micro notes.
What’s more, the “Account Security” tab in one’s Yahoo! account isn’t of much help in such situation, and the “Recent Activity” tab is what users should be looking at. There, they will see all the applications connected to the account and also have the option to remove them.
“Looking at the phone settings is of little help. Looking at the setting shows there is no option via the app to change the password. This is likely by design. When you set up your mail account on the device, it gets permanently credentialed until the credential is revoked through the server,” Trend Micro reveals.
Yahoo! users who recently changed their passwords are advised to check the associated applications and devices as well, and to remove those that look suspicious. Moreover, they should enable two-factor authentication (2FA) or use Yahoo’s Account Key to make it more difficult for attackers to access the account in the event of a password compromise.
By taking additional steps to secure an account after a breach notification, users can prevent further account damage. Although it’s unclear whether the attackers will be able to decrypt the stolen Yahoo! passwords or not, users will be likely less impacted if they change their password and review the associated devices, researchers say.
Related: Users File Lawsuit Against Yahoo Over Data Breach
Related: Google to Revoke OAuth 2.0 Tokens Upon Password Reset