View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Yahoo confirms password hack vulnerability fix

Company says it has plugged the vulnerability that enabled hackers to make off with 500,000 usernames and passwords

By Steve Evans

Yahoo has confirmed it has fixed a vulnerability that enabled hackers to gain access to a database of nearly half a million usernames and passwords belonging to members of its Yahoo Voices content portal.

The hack, which occurred late last week, saw the details of 450,000 members posted online. The company confirmed it had become the latest in a long line of hacking victims but stressed that the database file was "old" and that less than 5% of the compromised accounts had a valid passwords.

Now the company has identified and fixed the vulnerability that enabled the hackers to gain access.

"We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo users, enhanced our underlying security controls and are in the process of notifying affected users," a statement said.

"At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We sincerely apologise to all affected users," the statement added.

A previously unknown hacking group calling itself D33DS Company claimed responsibility for the hack.

According to reports the usernames and passwords were stored in plaintext, which drew huge criticism from the security industry.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

"The fact that the site’s database contained unencrypted passwords is a real cause for dismay," said David Emm, senior security researcher at Kaspersky Lab. "Unfortunately, many people use the same password for multiple online accounts. This brings with it the risk that a compromise of one account puts all their accounts at risk."

"Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application which is a well known attack," added Rob Rachwald, director of security strategy, Imperva.

"To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide," he added.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU