The forensic investigation is still going on, but it is highly likely that the bad guys initially got in through a spear phishing attack with a spoofed 'From' address. These types of attacks are hard to spot and employees tend to fall for them.
At this point, Yahoo has fallen down on security in so many ways that we are now advising all our clients who have an active Yahoo email account, either direct with Yahoo of via a partner like AT&T, get rid of it. And in case you have employees who check their Yahoo account on lunch breaks... it's time to put Yahoo on the block list of your firewall and all filtering software & devices.
Here's some hints and tips for Yahoo account owners....
- Before you delete the account, get rid of all the folders and only then delete the account and open a free gmail account instead.
- Check if you have used your Yahoo password in other sites, and change the password and security questions for those accounts. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.
- If you used a mobile phone number in association with your Yahoo account, and you still use that mobile phone number, then SMS phishing (a.k.a. Smishing) is now a distinct possibility, so be very wary of this.