Yahoo confirms theft of 450K unencrypted passwords

'Utter negligence,' says expert about latest online business black eye that included disclosure of .gov and .mil account info

Yahoo today confirmed that 450,000 unencrypted usernames and passwords were stolen Wednesday from one of its services, although it downplayed the threat.

"We confirm that an older file from Yahoo! Contributor Network, previously Associated Content, containing approximately 450,000 Yahoo! and other company usernames and passwords was compromised yesterday, July 11," Yahoo said in a statement forwarded by a company spokeswoman Thursday.

"Of these, less than 5% of the Yahoo! accounts had valid passwords," the company maintained. However, it did not say what percentage of the remaining accounts, which included over 100,000 Gmail addresses and more than 55,000 Hotmail addresses, included valid passwords.

Yahoo Contributor Network is a platform that lets writers, photographers, and others share content with Yahoo members and earn money based on the traffic it generates. Users who contribute to the network are required to sign in using a Yahoo, Google or Facebook ID.

Yesterday, a hacker group calling itself "the D33Ds Company" claimed to have hacked into a Yahoo database by exploiting an SQL injection vulnerability found on a Yahoo subdomain. The group published a list of 453,492 plain-text email addresses and passwords.

Based on a host name left in the published materials, speculation yesterday focused on Yahoo Voices as the most likely subdomain that was hacked. Yahoo Voices is the portal where uses access the content posted by the Yahoo Contributor Network.

Yahoo said it was "fixing the vulnerability that led to the disclosure of this data," but did not confirm that the bug had actually been quashed. The company was also changing the passwords of affected Yahoo members.

"We apologize to all affected users," said Yahoo.

Almost a third -- 30.3% -- of the leaked email addresses were ones from yahoo.com, while 23.6% were Gmail addresses and 12.2% were Hotmail addresses, said security company Rapid7, which did a quick analysis of the data published on the Web Wednesday.

Aol.com, comcast.com msn.com, sbcglobal.com, live.com, verizon.net and bellsouth.net addresses rounded out the top 10.

Also included in the cache, said Marcus Carey, security researcher at Rapid7, were 123 government email accounts -- ones ending with ".gov" -- and 235 military-related addresses (ending with ".mil").

"Some of the government addresses were from various [U.S.] intelligence agencies, the FBI, TSA [Transportation Security Administration] and DHS [Department of Homeland Security]," said Carey. "Those, and of course, the .mil accounts, could be used for targeted attacks later."

Yahoo breach chart
Yahoo accounts made up less than a third of the 450,000 stolen from an online content-sharing service. (Data: Rapid7.)

Yahoo did not immediately respond to follow-up questions, including whether the leaked addresses and passwords were only from the pool of people who had registered with the Content Network to post their work on the site, or whether others, including those who may have accessed the content via the Voices portal, also needed to be concerned about the breach.

1 2 Page
FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies