Nearly half a million usernames and passwords from a Yahoo service have been hacked and posted online. A previously unknown hacker group called D33DS Company has claimed responsibility for the hack.
At this stage it is not entirely clear which Yahoo service has been hacked. The TrustedSec website is reporting that it is Yahoo Voices that has been breached. Yahoo Voices is the company’s user-generated content portal, offering articles, videos and photos created by its users. Other reports suggested it is Yahoo Voice, the company’s VoIP service, that suffered the hack.
Update: Yahoo has confirmed it was hacked and that Yahoo Voices was the service hit. See statement at the end of this article.
What is alarming about this latest hacking incident is that it appears the passwords were being stored unencrypted. The 450,000 usernames and passwords were subsequently posted online.
It appears the hackers used a SQL-injection to access the database, which would have given them administrator-level access to the database and all its content.
The hackers said they hoped the incident serves as a wake-up call for Yahoo. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," a statement posted alongside the hacked passwords said.
There have been many security holes exploited in web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage," the statement added.
"There are certainly questions which need to be answered," wrote Anna Brading, security consultant at Sophos. "Such as how were the hackers able to gain access to the information, and what measures was the site taking to ensure that even if its databases were breached, the passwords would not be easy to convert into plain text."
With this hack Yahoo has become the latest big name site to fall victim to attackers. In June this year business networking site LinkedIn admitted that 6.5 million passwords were stolen when attackers breached one of its databases. The company is now facing a $5m lawsuit over the incident.
Just days after the LinkedIn hack, online dating service eHarmony and music site Last.fm both admitted to being the victims of hacking attacks that exposed user passwords.
UPDATE: Yahoo has confirmed it was hacked and that the usernames and passwords were genuine.
"We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11," the statement read.
"Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised," the statement added.
"We apologise to affected users. We encourage users to change their passwords on a regular basis and also familiarise themselves with our online safety tips at security.yahoo.com."
