Yahoo has repeatedly claimed that the flaws were fixed, but the attacks go on and the number of hijacked accounts continues to be considerable.
The Next Web says that the spikes of Google traffic to their earlier items concerning the attacks is proof that the problem persists and users are searching for explanations. Having been contacted directly by some of them, it seems that not all can point to the likely method employed by the hijackers and the correct time when the hijacking occurred.
Some received booby-trapped emails (often seemingly from friends or colleagues) that contained links that directed them to a bogus news site that hijacked their Yahoo Mail account if they were logged in. Others say they never received a similar email but that, nevertheless, their accounts got taken over.
The attackers are mostly using the compromised accounts to send out spam to the users' contacts and, indeed, to anyone from whom they ever received a message. Among this spam are also the aforementioned emails that permit cyber scammers to always access a fresh batch of accounts to continue the campaign.
But these hijacked accounts are not only a source of new potential victims. According to one of the polled users, they were offered a toll free number that would supposedly lead to someone who could help them regain control of the accounts - in return for $100.
Yahoo says that they "aggressively investigating reports of any email accounts exhibiting anomalous behavior," so let's hope we'll see some results soon.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.