Leaked file was an old one says Yahoo. But why wasn’t it encrypted?
Yahoo has confirmed that a file of more than 450,000 passwords was stolen from its Contributor Network which publishes content through Yahoo Voices, but claims that only five percent are valid.
The Yahoo passwords file, which was stolen and posted online by hackers going by the name of D33Ds as a wake-up call contained an unencrypted list of 453,000 login credentials, but Yahoo has apologised for the breach, and made a response claiming the data was an “older file” in which most of the passwords are now invalid.
Old Yahoo passwords
“We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11,” said a new official statement from Yahoo. “Of these, less than five percent of the Yahoo! accounts had valid passwords.”
Yahoo promises it is taking “immediate action” to fix the vulnerability that let hackers take the data – which the D33Ds group claims to have got using a SQL injection attack.
Yahoo says it is changing the passwords of the affected Yahoo! users and is “notifying the companies whose users accounts may have been compromised.”
Yahoo has yet to explain why the file was not encrypted, which security site TrustedSec says is “the most alarming part to the entire story.” Passwords should always be kept in encrypted form and the encrypted hash files should be “salted” to make them harder to decrypt. Business social networking site LinkedIn is facing legal action because its password file was stolen, and had been encrypted but not salted.
Given the evidence of lax security, all Yahoo users would be well advised to change their passwords to be on the safe side.
Are you a security guruf? Try our quiz!