Update (@12:15p CST) – Per a story on ZDNET (http://www NULL.zdnet NULL.com/yahoo-confirms-400000-accounts-hacked-less-than-5-valid-7000000812/), Yahoo now confirms the event, however claims that only 5% of the over 450,000 user passwords that were compromised are valid.
”At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products,” a Yahoo spokesperson said in a statement obtained by TechCrunch (http://techcrunch NULL.com/2012/07/12/yahoo-confirms-apologizes-for-the-email-hack-says-still-fixing-plus-check-if-you-were-impacted-non-yahoo-accounts-apply/). “We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com (http://security NULL.yahoo NULL.com).”
It is still recommended that you change your password if you use any Yahoo service (Email, Chat, IM, etc.) and also change your password on any other non-yahoo site that uses the same user name and password that was used for Yahoo.
There are reports this morning that over 450,000 Yahoo Voice passwords have been compromised and posted online by a hacker group calling themselves “D33DS Company”. The group used what is known as a SQL Injection (http://en NULL.wikipedia NULL.org/wiki/SQL_injection), which basically tricks a website database into dumping its information to the attacker.
With all of the high-profile sites that have recently had their passwords compromised (Sony, LinkedIn, eHarmony, Lastfm, among others), what is surprising is that a Major company like Yahoo was storing its passwords in plain text. What that means is that anyone at all could see the user name and password, which is like putting a piece of paper on your refrigerator with all your user name / passwords that you use, and then having someone break into your home and steal it. Once they have it, there much they couldn’t do. Sites that actually take their security seriously keep that information encrypted in such a way that even if the file was taken, the person taken it would be unable to actually see what it says.
In the case of D33DS, they claim the following as part of the information they posted online.
If you want to try to see the list of passwords, they can be found on the D33DS site (https://d33ds NULL.co/archive/yahoo-disclosure NULL.txt), however, due to heavy traffic you may find it a little difficult to actually access the site.
Recommended Password Change
As always when situations like these occur. It is advisable to change your password if you are a user of the affected service/site, even if you are not on the list compromised. In addition, if you use the same user name and password on other sites that you use on yahoo voice (or any other compromised site) you want to change your password on those sites as well. Read more