Less than 5 percent of the Yahoo accounts had valid passwords listed, the company contends.
Yahoo officials confirmed that an older file
from the Yahoo Voices (formerly Associated Content) was stolen July 12 by
hackers, allowing them to get their hands on more than 400,000 user
Of that amount, less than 5 percent of the
Yahoo accounts had valid passwords, the company told eWEEK
Yahoo email addresses, the list also included email addresses for Gmail,
Hotmail, AOL and other services. Users of the Yahoo Contributor Network can
sign up using their Google or Facebook IDs, which accounts for the various
"We are fixing the vulnerability that
led to the disclosure of this data, changing the passwords of the affected
Yahoo users and notifying the companies whose users' accounts may have been
compromised," a spokesperson said. "We apologize to affected
users. We encourage users to change their passwords on a regular basis and
also familiarize themselves with our online safety tips at security.yahoo.com
The breach occurred courtesy of a group of
hackers known as D33Ds Company, which posted a text file with the information
online and said they used union-based SQL injection to swipe the information.
"We hope that the parties responsible
for managing the security of this subdomain will take this as a wake-up call,
and not as a threat," D33Ds said in a message accompanying the leaked
data. "There have been many security holes exploited in Web servers
belonging to Yahoo! Inc. that have caused far greater damage than our
disclosure. Please do not take them lightly. The subdomain and vulnerable
parameters have not been posted to avoid further damage."
This is definitely a teachable moment on how
not to store passwords in databases, said Marcus Carey, security researcher
"This should be Application Development
101 at this point not to store passwords in clear text," Carey said.
Ron Gula, CEO and CTO of Tenable Network
Security, agreed, noting that if the compromised file had only contained
encrypted passwords, the hackers may not have realized what they had obtained.
"As with any type of social network
service, if you reuse a password among many different sites, hackers may
attempt to reuse these for other sites, such as your bank's Website," he
said. "Yahoo is taking the right steps to fix and close this issue and
notify their customers."
The Yahoo breach comes on the back of reports
earlier this week of a leak affecting social networking site Formspring, which
reported that 420,000 password hashes belonging to Formspring users had been
posted to a hacking forum.
"Once we were able to verify that the
hashes were obtained from Formspring, we locked down our systems and began an
investigation to determine the nature of the breach," blogged Formspring founder
"We found that someone had broken into one of our
development servers and was able to use that access to extract account
information from a production database.
"We were able to immediately fix the
hole and upgraded our hashing mechanisms from sha-256 with random salts to
bcrypt to fortify security," he added. "We take this matter very
seriously and continue to review our internal security policies and practices
to help ensure that this never happens again."