This Thursday, Yahoo users had quite a bit of a scare. The company announced 450,000 Yahoo Voice passwords have leaked after the list had already been published by the D33Ds Company hackers.
Yesterday’s password leak didn’t impact only Yahoo users. At least that’s what the company said. Other big services more breached, including AOL, Hotmail and Gmail. The 450,000 Yahoo Voice password breach took place this Wednesday, as hackers managed to get their hands on a Yahoo Contributor Network file containing old user information.
Caroline MacLeod – Smith, head for Yahoo’s consumer PR division in UK, confirmed “an older file from Yahoo Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo and other company users names and passwords was compromised yesterday, July 11”.
As Caroline MacLeod – Smith’s statement reads, the data obtained by hackers was mostly outdated. Of the 450,000 Yahoo passwords, “less than 5 percent of the Yahoo accounts had valid passwords”.
Yahoo said it started an investigation and now works to fix “the vulnerability that led to the disclosure of this data”. Actively, Yahoo is “changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised”. The company added users should update “their passwords on a regular basis and also familiarize themselves with our online safety tips”.
The hackers on the other hand had a much more straightforward message. “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat”. The hackers didn’t mention what was the Yahoo subdomain they breached but chief executive officer Dave Kennedy with TrustedSec, security firm, believes it’s Yahoo Voices.
“There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure” the hackers’ message reads. “Please do not take them lightly” they warned adding “the subdomain and vulnerable parameters have not been posted to avoid further damage”.
Mark Bower, Voltage Security vice president, told the New York Times Yahoo made it easy for hackers to breach its systems. “Why haven’t organizations like Yahoo got it yet? SQL injection is a known attack. If what is stated is true, it’s utter negligence to store passwords in the clear”.