There were reports earlier today about 453,000 Yahoo passwords being stolen. The password and username data was stored as plain text within an SQL database and extracted by a hacker group called D33Ds Company. The hackers said they went public with the usernames and passwords to highlight weaknesses in Yahoo security. Tonight Yahoo has confirmed the security breach, saying that only a few of the leaked stolen passwords are valid.
Yahoo say an “old” file from the Yahoo Contributor Network was compromised. As it is a content sharing platform many user names and passwords were from Yahoo services and others such as Gmail, Hotmail etc. The company says it will fix the vulnerabilities, change affected user passwords and notify those users. Yahoo apologised for the breach, in a statement it said “We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com”.
D33Ds Company says it obtained the user login details using an SQL injection technique which is a commonly used attack by hackers trying to extract data from vulnerable servers. “Take this as a wake-up call” declared the hacking group.
A partially erased screenshot of the user:pass list published by D33Ds Company
Security focused website TrustedSec said it is highly alarming that Yahoo chose to store the 453,000 passwords in a completely unencrypted form. As I write the D33Ds Company website seems to have collapsed under the throng of visitors, either that or some authority has made it unavailable for now.
As for who is and who is not affected, TrustedSec recommend all Yahoo users change their passwords immediately. However Yahoo said less than five per cent of the released details were currently valid. C|net has a list of the top 20 domains/passwords compromised by the D33Ds Company disclosure. If you have user accounts with any of those services it may be worth updating passwords there too. However it seems to me that you must have signed up for the Yahoo Contributor Network at some point to be on the leaked 453,000 user list.