5 percent of stolen passwords were valid: Yahoo!

Powered by SC Magazine
 

No word on why passwords weren't encrypted.

Yahoo! has claimed only five percent of the 450,000 passwords stolen from its Voices service yesterday remain valid.

The company is disabling passwords and notifying companies whose domains were used by staff to register for the service.

The credentials were published in clear text in what the company claimed was an "older file".

However, Yahoo! did not respond to questions from SC about whether they were initially encrypted or why they were stored in clear text.

The group dubbed 'd33ds' claimed responsibility for the hack. Security researchers said the credentials were stolen from Yahoo.com subdomain dbb1.ac.bf1.yahoo.com.

Yahoo! said in a statement that it took "security very seriously" and invested "heavily in protective measures".

"We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised on July 11," a spokesperson said in a statement to SC.

Content from the Contributor Network was published on Yahoo! Voices among other sites.

"We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised," the company said.

"We apologise to all affected users."

TrustedSec said the breached appeared to be a union-based SQL injection attack to extract the sensitive information from the database. Those attacks could force vulnerable databases to regurgitate large amounts of information by issuing crafted requests.

Users of Yahoo! Voices could validate their exposure to the breach by entering their email addresses into a tool created by Securi's Daniel Cid.

Copyright © SC Magazine, Australia


5 percent of stolen passwords were valid: Yahoo!
 
 
 
Top Stories
Windows 10 lands in Australia
Campaign to get business to upgrade kicks off.
 
NSW to build its own myGov
Service NSW digital profiles available by September.
 
Android bug leaves a billion phones open to attack
Hackers only need phone number to target devices.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Should law enforcement be able to buy and use exploits?



   |   View results
Yes
  14%
 
No
  51%
 
Only in special circumstances
  17%
 
Yes, but with more transparency
  18%
TOTAL VOTES: 782

Vote