Yahoo! breach exposes 400,000 passwords

By , on
Yahoo! breach exposes 400,000 passwords

Yahoo! Voices compromised.

More than 400,000 usernames and passwords associated with the Yahoo! Voices service have been stolen and published online due to a security vulnerability in the search company's systems.

A data file published on the web contained logins and cleartext passwords for Yahoo! with user credentials from services Gmail, AOL as well as Microsoft's Hotmail, MSN and Live sites.

"It's way bigger than Yahoo!," said Marcus Carey, a researcher with Rapid7.

"We can assume that tens of thousands of people on services outside of Yahoo could be compromised."

The credentials, kept in clear text, were reportedly hacked by a group called 'd33ds' using a SQL injection attack to extract the sensitive information from the database, according to TrustedSec.

The full text of the compromised database was available on the group's website, which now appears offline.

The group allegedly behind the attack had earlier taken credit for hacking rival groups and the hacking leader board RankMyHack.

Yahoo!'s Australian subsidiary Yahoo7 referred SC to the US for contact. The company does not promote Yahoo! Voice locally.

Yahoo! had not responded to SC's questions at time of writing but told TechCrunch in a written statement that the compromised database was an "older file" from the service, formerly known as 'Associated Content'.

The company said that "less than" five percent of the accounts listed were still valid.

"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised," the company said.

"We apologise to affected users."

Officials with Google, AOL and Microsoft could not immediately be reached for comment.

An analysis of the password dump by Eset security blogger Anders Nilsson has shown the most common passwords for the service were '123456', 'password' and 'welcome', while domains Yahoo!, Gmail and Hotmail appeared most frequently.

There were also emails from 1870 education domains, 93 government and 81 military.

Chairman Alfred Amoroso acknowledged that Yahoo had experienced a "tumultuous" year at its annual shareholder meeting on Thursday morning. Interim CEO Ross Levinsohn told attendees he was optimistic about the company's progress.

The theft follows a breach reported last month by the business networking service LinkedIn, which resulted in the release of some 6.4 million member passwords.

Got a news tip for our journalists? Share it with us anonymously here.

Most Read Articles

Log In

  |  Forgot your password?