Yahoo officials say the vulnerability exploited by hackers that compromised about 450,000 emails and passwords has been fixed.
The company confirmed July 12 that hackers had accessed an old file containing the sensitive information belonging to users of the Yahoo Contributor Network. The information was linked to writers who joined Associated Content — now known as Yahoo Voices — prior to its acquisition by Yahoo in May 2010.
“We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users,” the company said in a July 13 blog post. “In addition, we will continue to take significant measures to protect our users and their data.”
The breach was committed by a group of hackers known as D33Ds Company, which posted a text file with the information online and said it used union-based SQL injection to swipe the information. Besides Yahoo email addresses, the list also included email addresses for Gmail, Hotmail, AOL and other services. Users of the Yahoo Contributor Network can sign up using their Google or Facebook IDs, which accounts for the various emails listed.
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” D33Ds said in a message accompanying the leaked data. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
Fewer than 5 percent of the Yahoo accounts listed had valid passwords, a spokesperson told eWEEK July 12.
“Sadly, this breach highlights how enterprises continue to neglect basic security practices,” blogged Rob Rachwald, director of security strategy at Imperva. “According to the hackers, the breach was enabled by union-based SQL injection vulnerability in the application which is a well-known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide.”
Chris Petersen, CTO and founder of LogRhythm, noted that because users often utilize the same password for multiple accounts, cyber-criminals may be able to use the leaked information to access other sites if they can successfully map the compromised email address to the individual that owns it.
Yahoo is advising anyone who joined Associated Content prior to May 2010 using their Yahoo email address to log into their Yahoo account and go through the steps of changing and validating their credentials.
“At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products,” the company blogged. “We sincerely apologize to all affected users.”