Up until Monday, hackers have hijacked banner ads running on Adobe Flash on Yahoo's websites. Malwarebytes, the security company that exposed the hack, revealed that the site, which receives some 6.9 billion monthly views, had been exploited since July 28 through its ad network.
The exploit worked like this: Hackers bought a number of ads that would be propagated through Yahoo's network of sites. Ads don't usually appear on their own—they come loaded with a package of scripts that track metrics for ad companies. In this case, the hackers' code eventually redirected to a script that exploited computers using older versions of Adobe Flash.
The New York Times reported that the exploit would allow hackers to take control of the user's computer and hold it for ransom or siphon off web traffic to other sites to get cash. Updated versions of Flash would be looking for these sorts of exploits, but older versions are left vulnerable.
"Unfortunately, disruptive ad behavior affects the entire tech industry," Yahoo told Malwarebytes. "Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience."
Only Yahoo could really know how many people were affected, but the company did not immediately respond to requests for comment.
Flash has been dying a slow death for years, and despite being the de facto software to power videos, HTML5 has been seeing more use lately as a way to serve ads and provide a more developer-friendly backbone for apps. YouTube ditched Flash in favor for HTML5 in January and Twitch, a video streaming network popular with gamers, followed suit this past July. Until there's a movement heavily-trafficked sites to phase Flash out, there's a good chance vulnerable users will continue to be targeted.