Yahoo's network was compromised overnight by attackers attempting to exploit the Bash command line interpreter flaw, dubbed Shellshock, with some of the company's servers impacted and isolated.
.jpg&h=420&w=748&c=0&s=0)
A Yahoo spokesperson confirmed in a statement to SecurityWeek that the company had "no evidence of a compromise to our user data".
Head of New Orleans-based IT services company Future South, Jonathan Hall, said during research into whether Shellshock is actively being exploited, he discovered that Romanian hackers had used the vulnerability to gain access to Yahoo servers.
After the servers had been compromised, the Romanian hackers proceeded to build a botnet, Hall said.
He added that the attackers were working towards exploiting Yahoo's games servers.
Hall posted what he said are transcripts from Internet Relay Chat (IRC) log files, showing hackers having full root access to privileged parts of the systems and installing Perl scripts on the servers.
He also believed the hackers had infiltrated another search engine, Lycos, and the site of file archiving utility developer WinZip.
Hall said he contacted Yahoo and its chief executive Marissa Mayer about the hack but received no response initially.
"It was not until I contacted several media outlets and the FBI that they responded. Once they responded, they did confirm the servers were breached," Hall wrote.
Yahoo told Hall it had "found the tracks mentioned in your email and are working through our IR process."
Yahoo's security response team also suggested he file reports through Yahoo's Bug Bounty program, even though the issue he alerted on doesn't quality for awards under it.
iTnews has contacted Yahoo's security department for comment on the issue.
Update 8/10: Yahoo chief information security officer Alex Stamos confirmed on Hacker News that the servers in question along with a third machine were impacted by a security flaw.
While Stamos said an investigation showed the servers were not directly affected by the Shellshock vulnerability, attackers managed to trigger another bug while scanning for the Bash command line interpreter flaw.