Yahoo! breach exposes 400,000 passwords

By , on
Yahoo! breach exposes 400,000 passwords

Yahoo! Voices compromised.

More than 400,000 usernames and passwords associated with the Yahoo! Voices service have been stolen and published online due to a security vulnerability in the search company's systems.

A data file published on the web contained logins and cleartext passwords for Yahoo! with user credentials from services Gmail, AOL as well as Microsoft's Hotmail, MSN and Live sites.

"It's way bigger than Yahoo!," said Marcus Carey, a researcher with Rapid7.

"We can assume that tens of thousands of people on services outside of Yahoo could be compromised."

The credentials, kept in clear text, were reportedly hacked by a group called 'd33ds' using a SQL injection attack to extract the sensitive information from the database, according to TrustedSec.

The full text of the compromised database was available on the group's website, which now appears offline.

The group allegedly behind the attack had earlier taken credit for hacking rival groups and the hacking leader board RankMyHack.

Yahoo!'s Australian subsidiary Yahoo7 referred SC to the US for contact. The company does not promote Yahoo! Voice locally.

Yahoo! had not responded to SC's questions at time of writing but told TechCrunch in a written statement that the compromised database was an "older file" from the service, formerly known as 'Associated Content'.

The company said that "less than" five percent of the accounts listed were still valid.

"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised," the company said.

"We apologise to affected users."

Officials with Google, AOL and Microsoft could not immediately be reached for comment.

An analysis of the password dump by Eset security blogger Anders Nilsson has shown the most common passwords for the service were '123456', 'password' and 'welcome', while domains Yahoo!, Gmail and Hotmail appeared most frequently.

There were also emails from 1870 education domains, 93 government and 81 military.

Chairman Alfred Amoroso acknowledged that Yahoo had experienced a "tumultuous" year at its annual shareholder meeting on Thursday morning. Interim CEO Ross Levinsohn told attendees he was optimistic about the company's progress.

The theft follows a breach reported last month by the business networking service LinkedIn, which resulted in the release of some 6.4 million member passwords.

Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?