Yahoo slammed for security breach
In yet another big security breach, over 450 000 Yahoo usernames and passwords were stolen on Wednesday.
Yahoo acknowledged the breach, issuing a statement saying: “We confirm that an older file from Yahoo! Contributor Network (previously Associated Content), containing approximately 450 000 Yahoo! and other company users' names and passwords, was compromised yesterday”.
According to Yahoo, of the compromised passwords, less than 5% of the Yahoo accounts had valid passwords. It was found that among the usernames were some 106 000 Gmail addresses, 55 000 Hotmail addresses and 25 000 AOL addresses. These service providers also required affected users to reset their passwords.
The hack is believed to have been carried out by a hacker group known as the D33D Company. According to the NY Times, the hackers wrote a brief footnote on the data dump (which has since been removed) stating: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.”
“There have been many security holes exploited in Web servers belonging to Yahoo that have caused far greater damage than our disclosure. Please do not take them lightly."
The hackers claimed to have used an SQL injection, a technique that exploits a software vulnerability, to perform the hack. Security experts have slammed Yahoo for the breach, saying SQL injection is a known attack and Yahoo should have taken the necessary precautions.
In a TrustSec post about the breach it is said: “The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400 000+ usernames and passwords are now public.”
Security firm ESET has also analysed the breach and identified the 10 most common passwords used. These included 123456, password, welcome, ninja, abc123, 123456789, 12345678, sunshine, princess, and qwerty.
ESET advises: “Since all the accounts are in plain-text, anyone with an account present in the leak which also has the same password on other sites (e-mail, Facebook, Twitter, etc), should assume that someone has accessed their account.”
Yahoo said: “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users' accounts may have been compromised.
“At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.” Yahoo went on to apologise to its affected users, and said it encourages users to change their passwords on a regular basis.
For users wanting to check if their account details were compromised, security company Sucuri has set up a Web site that can tell users if their e-mail address was included in the breach or not.