Yahoo officials confirmed that an older file from the Yahoo Voices (formerly Associated Content) was stolen July 12 by hackers, allowing them to get their hands on more than 400,000 user credentials.
Of that amount, less than 5 percent of the Yahoo accounts had valid passwords, the company told eWEEK. Besides Yahoo email addresses, the list also included email addresses for Gmail, Hotmail, AOL and other services. Users of the Yahoo Contributor Network can sign up using their Google or Facebook IDs, which accounts for the various emails listed.
"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users' accounts may have been compromised," a spokesperson said. "We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."
The breach occurred courtesy of a group of hackers known as D33Ds Company, which posted a text file with the information online and said they used union-based SQL injection to swipe the information.
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," D33Ds said in a message accompanying the leaked data. "There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
This is definitely a teachable moment on how not to store passwords in databases, said Marcus Carey, security researcher with Rapid7.
"This should be Application Development 101 at this point not to store passwords in clear text," Carey said.
Ron Gula, CEO and CTO of Tenable Network Security, agreed, noting that if the compromised file had only contained encrypted passwords, the hackers may not have realized what they had obtained.
"As with any type of social network service, if you reuse a password among many different sites, hackers may attempt to reuse these for other sites, such as your bank's Website," he said. "Yahoo is taking the right steps to fix and close this issue and notify their customers."
The Yahoo breach comes on the back of reports earlier this week of a leak affecting social networking site Formspring, which reported that 420,000 password hashes belonging to Formspring users had been posted to a hacking forum.
"Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach," blogged Formspring founder Ade Olonoh. "We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.
"We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security," he added. "We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again."