Yahoo doesn't provide much information. It doesn't say when this activity was noticed, how many accounts have been affected, nor who it thinks might be responsible. It is, however, suggesting that Yahoo itself has not been hacked. "Based on our current findings," wrote Jay Rossiter, SVP for platforms and personalization products, "the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems."
He adds that "malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts," and that the attack specifically sought "names and email addresses from the affected accounts' most recent sent emails."
Reports that Yahoo Mail has been hacked seem to be exaggerated. The implication here is that the email addresses and the passwords could have been taken from any one or more of the recent large scale breaches elsewhere (Adobe, Target, Neiman Marcus, Michaels etcetera). Any user reusing their Yahoo password in any of those accounts would automatically be compromised.
However, since the attackers would not know which of the passwords had been reused, they developed their own 'malicious software' to automate the probes. If ever users needed a further demonstration that passwords should never be reused over multiple accounts, this is it.
The motivation for the attack is, however, a little obscure. "One likely reason is to harvest valid email addresses from the sent folder in order to deliver spam runs," Fraser Howard, security researcher with Sophos, suggested to Infosecurity. "I bet if you could survey the contacts of victims, those contacts would have received spam messages from that victim in the time window following the attack – and perhaps additional spam runs from some other account later. A valid email address has some monetary value to spammers; it might only be small for a single address, but in bulk, there is profit to be made."
This would explain the automated attack, working on the assumption that Yahoo would quickly recognize and block the activity. "A quick harvest of information ensures value (profit) even once access is subsequently blocked," he said.
But why the attack specifically targeted the 'sent' folder remains a puzzle, "unless," posits ESET senior research fellow David Harley, "it was simply to prove that they could or a precursor to a different kind of attack, or a cover for a more specifically-targeted attack. If you wanted to ensure that if your targeted attack was detected the victim wouldn’t realize the attack was targeted, you might try to hide the tree in the forest."
It is known that DDoS attacks are sometimes used to disguise more targeted hacks, and a similar approach may apply here; but that still doesn't explain the focus on the 'sent' folder. "If it's for harvesting addresses," Harley told Infosecurity, "it suggests that the attacker is looking for addresses particularly associated with the victim rather than mailing lists that may be ‘receive only’. Does that suggest plans for targeted social engineering? I don’t know..."