Yahoo confirms theft of 450K unencrypted passwords
'Utter negligence,' says expert about latest online business black eye that included disclosure of .gov and .mil account info
Computerworld - Yahoo today confirmed that 450,000 unencrypted usernames and passwords were stolen Wednesday from one of its services, although it downplayed the threat.
"We confirm that an older file from Yahoo! Contributor Network, previously Associated Content, containing approximately 450,000 Yahoo! and other company usernames and passwords was compromised yesterday, July 11," Yahoo said in a statement forwarded by a company spokeswoman Thursday.
"Of these, less than 5% of the Yahoo! accounts had valid passwords," the company maintained. However, it did not say what percentage of the remaining accounts, which included over 100,000 Gmail addresses and more than 55,000 Hotmail addresses, included valid passwords.
Yahoo Contributor Network is a platform that lets writers, photographers, and others share content with Yahoo members and earn money based on the traffic it generates. Users who contribute to the network are required to sign in using a Yahoo, Google or Facebook ID.
Yesterday, a hacker group calling itself "the D33Ds Company" claimed to have hacked into a Yahoo database by exploiting an SQL injection vulnerability found on a Yahoo subdomain. The group published a list of 453,492 plain-text email addresses and passwords.
Based on a host name left in the published materials, speculation yesterday focused on Yahoo Voices as the most likely subdomain that was hacked. Yahoo Voices is the portal where uses access the content posted by the Yahoo Contributor Network.
Yahoo said it was "fixing the vulnerability that led to the disclosure of this data," but did not confirm that the bug had actually been quashed. The company was also changing the passwords of affected Yahoo members.
"We apologize to all affected users," said Yahoo.
Almost a third -- 30.3% -- of the leaked email addresses were ones from yahoo.com, while 23.6% were Gmail addresses and 12.2% were Hotmail addresses, said security company Rapid7, which did a quick analysis of the data published on the Web Wednesday.
Aol.com, comcast.com msn.com, sbcglobal.com, live.com, verizon.net and bellsouth.net addresses rounded out the top 10.
Also included in the cache, said Marcus Carey, security researcher at Rapid7, were 123 government email accounts -- ones ending with ".gov" -- and 235 military-related addresses (ending with ".mil").
"Some of the government addresses were from various [U.S.] intelligence agencies, the FBI, TSA [Transportation Security Administration] and DHS [Department of Homeland Security]," said Carey. "Those, and of course, the .mil accounts, could be used for targeted attacks later."
Yahoo did not immediately respond to follow-up questions, including whether the leaked addresses and passwords were only from the pool of people who had registered with the Content Network to post their work on the site, or whether others, including those who may have accessed the content via the Voices portal, also needed to be concerned about the breach.
- Web apps and point-of-sale were leading hacker targets in 2013, says Verizon
- Michaels breach exposes nearly 3M payment cards
- Teen nabbed in Heartbleed attack against Canadian tax site
- Heartbleed bug can expose private server encryption keys
- FTC can sue companies hit with data breaches, court says
- 5-year-old hacks Xbox, now he's a Microsoft 'security researcher'
- State AGs probe Experian subsidiary's data breach
- NSA sniffing prompts Yahoo to encrypt traffic between its data centers
- Banks withdraw data breach claim against Target
- Bank abandons place in class-action suit against Target, Trustwave
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
Enhance Your Virtualization Infrastructure With IBM and Vmware
Date: Wednesday, May 14, 2014, 1:00 PM EDT
Virtualization technology is now expanding beyond the server compute elements to encompass networking and storage...
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
All Cybercrime and Hacking White Papers |