Yahoo Patches Password Leak

Share This Post

Yahoo says it has fixed the flaw that allowed hackers to steal more than 450,000 passwords from one of its many services.

The company also provided more information about whose passwords had been pilfered. “We have…now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users,” the company announced in a post to its blog early Friday. Yahoo has offered no specific information about the attack, how it was carried out or even when. Itconfirmed the attack Thursday. The hacker group D33Ds Company took responsibility for the breach, saying it had exploited a basic SQL injection vulnerability in a Yahoo service to steal the usernames and passwords associated with 453,000 accounts. The group published the passwords and e-mail addresses on the Web.

Hack Affects Associated Content Accounts

Yahoo also confirmed that the stolen account credentials belonged to registered users of its Yahoo Contributor Network, which was previously known as Associated Content. Yahoo Contributor Network is a platform that generates high-volume, low-cost content by letting writers photographers, and others share their work with Yahoo members and earn money based on the traffic their content generates. Users who contribute to the network are required to sign in using a Yahoo, Google or Facebook ID.

Associated Content, which was founded in 2005, was bought by Yahoo for just over $100 million in May 2010. Yahoo renamed the service in late 2011, when it also launched Yahoo Voices, a portal where users access content posted by the Yahoo Contributor Network. According to Yahoo, only people who registered as providers with Associated Content before the 2010 acquisition were affected by the password theft. “[The] compromised file was a standalone file that was not used to grant access to Yahoo! systems and services,” Yahoo maintained. Just under a third of the stolen passwords were linked to accounts registered to a yahoo.com e-mail address, security company Rapid7 said Thursday. Significant chunks of the file, however, were composed of Gmail (23.6 percent of all accounts) and Hotmail (12.2 percent) addresses. All users with older Associated Content accounts, no matter the e-mail address used, should immediately change the passwords for those e-mail accounts as well as any identical or similar passwords used to secure other online services or websites, security experts have said. Rapid7 security researcher Marcus Carey said Thursday that the file published by D33Ds included 123 government e-mail accounts — ones ending with “.gov” — and 235 military-related addresses (ending with “.mil”). Among the government e-mail accounts, Carey found several associated with the FBI, the Transportation Security Administration (TSA) and the Department of Homeland Security (DHS).

Security Experts Blast Yahoo

Security experts have been scathing in their criticism of Yahoo, in large part because the passwords were stored in plain-text, making the hackers’ job of exploiting the stolen accounts a breeze. Mark Bower, a data protection expert and executive at Voltage Security, said, “It’s utter negligence to store passwords in the clear.” Rob Rachwald, director of security strategy at Imperva, also took Yahoo to the woodshed. “To add insult to injury, the passwords were stored in clear text and not hashed (encoded),” Rachwald wrote in a blog post. “One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide.” The LinkedIn breach Rachwald referenced came to light last month, and involved approximately 6.5 million encrypted passwords belonging to members of the networking service. In its Friday blog, Yahoo again apologized to users affected by the password theft.  

Stay Ahead: Join the EwtNet Insider Email Club!

Stay informed and up-to-date with EwtNet's email subscription. Join our exclusive community and receive curated news, updates, and insights tailored to your interests.

Related Posts

TechCrunch: Yahoo Bought Aviate For $80M

Earlier this week, Yahoo announced that it had acquired...

Anonymous stumbles, but hackers still hazardous

It hasn't been the best of months for Anonymous,...

How to Protect Your Social Network Accounts from Hackers

A tech journalist learned a tough lesson recently. But...

Yahoo acknowledges Yahoo Mail hack

Have your friends recently texted you about spam originating...

Yahoo Mail still down for some users, after an attempted fix

Yahoo’s Mail service is reported to be still down...

Windows 8 Leaked in Final Form

A final copy of Windows 8 leaked to the...
- Advertisement -

Discover more from EwtNet

Subscribe now to keep reading and get access to the full archive.

Continue reading