Yahoo Voices Breach Exposes 453,000 Passwords
Yahoo is the latest tech company to fall victim to a hack, thanks to a SQL injection that reportedly accessed more than 400,000 passwords from Yahoo Voices.
Yahoo is the latest tech company to fall victim to a hack, thanks to a SQL injection that reportedly allowed access to more than 400,000 passwords from Yahoo Voices.
As noted by TrustedSec, passwords from Yahoo Voices - which features articles penned by average Yahoo users - were posted online, but the information was not restricted to Yahoo Mail.
"The passwords contained a wide variety of email addresses including those from yahoo.com, gmail.com, aol.com, and much more," TrustedSec wrote.
The hacker apparently forgot to delete the host name (dbb1.ac.bf1.yahoo.com), allowing TrustedSec to determine that Yahoo Voices, , was the compromised server.
The "most alarming" part of the breach, TrustedSec said, "was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public. The method for the compromise was apparently a SQL Injection attack to extract the sensitive information from the database."
According to security firm Sophos, the list of 453,491 emails and passwords were posted online by hacker group D33DS Company.
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," D33DS said, according to a Sophos blog post.
"The only silver lining on the cloud is that the website hosting the passwords is temperamental, and people are experiencing difficulties accessing the information," wrote Sophos analyst Anna Brading. "But maybe the access problems are being caused by so many people trying to access the stolen passwords at once?"
In a statement, Yahoo confirmed that approximately 400,000 usernames and passwords were stolen on July 11 from "an older file" on the Yahoo Contributor Network.
"Of these, less than 5 percent of the Yahoo! accounts had valid passwords," Yahoo said. "We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised."
Yahoo apologized for the breach and urged users to change their passwords.
The Yahoo breach is just the latest in a string of password hacks. A led to about 420,000 passwords being accessed and posted to a security forum. That came several weeks after LinkedIn, Last.fm, and eHarmony all confirmed password breaches. Online dating site stolen; far fewer than networking site . Last.fm topped the bunch, with , according to the music site.
For more, see .
Editor's Note: This story was updated at 11:30 a.m. Eastern with comment from Yahoo.