Yahoo! is valued at around $23 Billion as of now and is one of the foremost e-mail providers of the world. They have hundreds of millions subscribers, thus making Yahoo! Mail one of the most used e-mailing services. But the giant has just took a hit. According to recent reports, millions of Yahoo! Mail users are reporting that there account has been hacked. They also say that after their accounts are compromised their friends start getting spam mails from their account thus, resulting in an outbreak.
Apparently, it was found after some digging that the attack is being co-ordinated single-handedly by a "security researcher" named Shahin Ramezany. He has even uploaded a tutorial video of a method of compromising Yahoo! Mail accounts based on the DOM-Based XSS vulnerability, which is one of the basic techniques in the herd of XSS based security flaws. The technique is really very simple which makes it all the more dangerous. Also, the problem is that this vulnerability is present and exploitable on all major browsers. The method can also be read about by clicking here. Lets have a look at the video Shahin uploaded on YouTube.
Shahin mentioned, in his single tweet about the attack, that this puts ~400 million Yahoo! Mail users at risk but being a security researcher and a gentleman, perhaps, he has promised that he won't post the full details of the method until and unless Yahoo! plugs the security hole.
This isn't the first time Yahoo's security has been compromised and seeing the way Yahoo! has been dealing with the issues, it likely won't be the last. There was such an incident, not long ago, in July 2012 as well but that happened because of swapping of files from Yahoo's servers whereas this time there appears to be a security flaw in the Yahoo! Mail directly.
We recommend to our users that they do not click on any random, unreliable or suspicious links even if those come from a friend. If you think a friend has sent you a legitimate one, first confirm with them about it and not through e-mail. Also, if you think your account has been compromised, be sure to try and change its password. If you use same password for more then one account, then be sure to make all the passwords different. Be alert, Be safe!