Yahoo has confirmed it has fixed a vulnerability that enabled hackers to gain access to a database of nearly half a million usernames and passwords belonging to members of its Yahoo Voices content portal.
The hack, which occurred late last week, saw the details of 450,000 members posted online. The company confirmed it had become the latest in a long line of hacking victims but stressed that the database file was "old" and that less than 5% of the compromised accounts had a valid passwords.
Now the company has identified and fixed the vulnerability that enabled the hackers to gain access.
"We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo users, enhanced our underlying security controls and are in the process of notifying affected users," a statement said.
"At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We sincerely apologise to all affected users," the statement added.
A previously unknown hacking group calling itself D33DS Company claimed responsibility for the hack.
According to reports the usernames and passwords were stored in plaintext, which drew huge criticism from the security industry.
"The fact that the site’s database contained unencrypted passwords is a real cause for dismay," said David Emm, senior security researcher at Kaspersky Lab. "Unfortunately, many people use the same password for multiple online accounts. This brings with it the risk that a compromise of one account puts all their accounts at risk."
"Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application which is a well known attack," added Rob Rachwald, director of security strategy, Imperva.
"To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide," he added.
