Yahoo's ad network sent malware to the computers of people who visited the company's popular family of sites for a week, the New York Times reported.
The attack leveraged a bug in Adobe Flash — a graphics program with a history of security problems that many developers have urged users to dump.
The type of scheme used, known as "malvertising," takes advantage of the online advertising system that supports much of the Web: The bad guys buy up digital ad space, then use it to serve up malicious software to visitors of legitimate sites. In this case, those sites included Yahoo's sports, news and finance sites, according to the Times.
When people using Windows computers visited the site, the infected ads sent them malicious code that checked to see if their computer had an out of date version of Flash — which the bad guys could then potentially use to hijack the computer.
"As soon as we learned of this issue, our team took action to block this advertiser from our network," a Yahoo spokesman said in a statement. "Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience."
It's unclear how many people may have been hit by the attack, which did not require users to do anything other than browse to a page featuring the malicious advertisements. But MalwareBytes noted that Yahoo's home page receives billions of visits a month, and its other news and entertainment sites receive hundreds of millions of visits.
Yahoo declined to comment on how many people were caught up in the advertising attack, but said "the scale of the attack was grossly misrepresented in initial media reports."