Updated: Yahoo hack yields 435,000 passwords

Yahoo has kicked off an investigation into a hack and extract operation of its Voices website that apparently compromised over 435,000 accounts via an SQL Injection attack.

”A recent post over 400,000 plus accounts that have clear text passwords were posted online. The passwords contained a wide variety of email addresses including those from yahoo.com, gmail.com, aol.com, and much more,” TrustedSec researchers confirmed in an official post.

“The affected website was only named as a subdomain of yahoo.com however digging through and searching for the hostname, the attacker forgot to remove the hostname ‘dbb1.ac.bf1.yahoo.com.’ Looking through a variety of sources, it appears that the compromised server was likely Yahoo! Voices which was formally known as Associated Content.”

According to TrustedSec, the data was stored in “completely unencrypted” files.

As such, the full 400,000+ usernames and passwords are now public after being posted by a hacker group known as “D33DS Company.”

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the group wrote in an online communiqué. 

Meanwhile, Sophos security researcher Anna Brading recommended that Yahoo Voices users change their passwords ASAP – even if the hacker group themselves wasn’t planning to use the information for ill-gotten gains.

“There are certainly questions which need to be answered – such as how were the hackers able to gain access to the information, and what measures was the site taking to ensure that even if its databases were breached, the passwords would not be easy to convert into plain text,” Brading wrote in a security blog post.

“Unfortunately, the list of compromised websites just seems to keep growing. In a little over a month, we’ve reported on breaches of Formspring, Last.fm, LinkedIn and eHarmony.”

Yahoo has issued the following official statement:

“At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11,” a Yahoo spokesperson said in a statement obtained by TechCrunch.

“Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”