Yahoo
Hackers in late July exploited Yahoo's ad network to deliver malware directly to users of Windows computers who simply visited the company's websites, according to a security firm this week. Denis Balibouse/Reuters

Yahoo on Monday shut down a cyber hack attack that exploited the company's ad network for a full week to deliver malware directly to the computers of users who visited the company's websites, the cyber security firm that discovered the attack said this week. Yahoo did not reveal how many users were affected, but it could be substantial, given that Yahoo gets 6.9 billion visits a month.

For the malware attack, hackers purchased advertisements that ran on Yahoo's sports, news and finance sites, according to the New York Times. Then, when someone using a Windows PC visited a Yahoo website and came across one of the advertisements, his or her computer would automatically download the malicious code. At that point, the code sought out an outdated version of Adobe Flash, which it could use to take full control of the infected machines.

Having confiscated use of the machines, hackers would then hold the computers hostage until users paid them off or they would simply use the computers to drive traffic toward websites owned by them.

Altogether, the so-called "malvertising" attack is believed to be one of the biggest in recent times due to the massive amount of traffic Yahoo generates. The attack began on July 28 and was discovered on Monday by cyber security firm Malwarebytes, which informed Yahoo of the attack that same day. Yahoo took action to stop the attack immediately.

"Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload," Malwarebytes said in a blog post, explaining that hackers took advantage of the complex online advertising industry to sneak their malicious code in. "The mere fact of browsing to a website that has [advertisements] (and most sites, if not all, do) is enough to start the infection chain."

Yahoo has not said how many users were affected by the attack, but the company said it "is committed to ensuring that both our advertisers and users have a safe and reliable experience." Adobe, meanwhile, has encouraged users to update their computers to the latest version of Flash.