Yahoo Confirms 400,000 Passwords Stolen in Hack - Security - News & Reviews - eWeek.com | eWeek

Yahoo Confirms 400,000 Passwords Stolen in Hack

Écrit par
Brian Prince
Brian Prince
Jul 12, 2012
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Yahoo officials confirmed that an older file from the Yahoo Voices (formerly Associated Content) was stolen July 12 by hackers, allowing them to get their hands on more than 400,000 user credentials.

Of that amount, less than 5 percent of the Yahoo accounts had valid passwords, the company told eWEEK. Besides Yahoo email addresses, the list also included email addresses for Gmail, Hotmail, AOL and other services. Users of the Yahoo Contributor Network can sign up using their Google or Facebook IDs, which accounts for the various emails listed.

“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users’ accounts may have been compromised,” a spokesperson said. “We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”

The breach occurred courtesy of a group of hackers known as €œD33Ds Company,€ which posted a text file with the information online and said they used union-based SQL injection to swipe the information.

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” D33Ds said in a message accompanying the leaked data. “There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

This is definitely a teachable moment on how not to store passwords in databases, said Marcus Carey, security researcher with Rapid7.

“This should be €˜Application Development 101€™ at this point not to store passwords in clear text,” Carey said.

Ron Gula, CEO and CTO of Tenable Network Security, agreed, noting that if the compromised file had only contained encrypted passwords, the hackers may not have realized what they had obtained.

“As with any type of social network service, if you reuse a password among many different sites, hackers may attempt to reuse these for other sites, such as your bank’s Website,” he said. “Yahoo is taking the right steps to fix and close this issue and notify their customers.”

The Yahoo breach comes on the back of reports earlier this week of a leak affecting social networking site Formspring, which reported that 420,000 password hashes belonging to Formspring users had been posted to a hacking forum.

“Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach,” blogged Formspring founder Ade Olonoh. “We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.

“We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security,” he added. “We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.