Yahoo Fixes Password-Hack Security Glitch

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

Yahoo has fixed the vulnerability that allowed hackers to compromise 450,000 passwords, and has offered more details on who is affected

Yahoo officials say the vulnerability exploited by hackers that compromised about 450,000 emails and passwords has been fixed.

The company confirmed on 12 July that hackers had accessed an old file containing the sensitive information belonging to users of the Yahoo Contributor Network. The information was linked to writers who joined Associated Content – now known as Yahoo Voices – prior to its acquisition by Yahoo in May 2010.

Enhanced security

“We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users,” the company said in a 13 July blog post. “In addition, we will continue to take significant measures to protect our users and their data.”

The breach was committed by a group of hackers known as “D33Ds Company”, which posted a text file with the information online and said it used union-based SQL injection to swipe the information. Besides Yahoo email addresses, the list also included email addresses for Gmail, Hotmail, AOL and other services.

Users of the Yahoo Contributor Network can sign up using their Google or Facebook IDs, which accounts for the various emails listed.

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” D33Ds said in a message accompanying the leaked data. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

Invalid passwords

Fewer than 5 percent of the Yahoo accounts listed had valid passwords, a spokesperson told eWEEK on 12 July.

“Sadly, this breach highlights how enterprises continue to neglect basic security practices,” blogged Rob Rachwald, director of security strategy at Imperva. “According to the hackers, the breach was enabled by union-based SQL injection vulnerability in the application which is a well-known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide.”

Chris Petersen, CTO and founder of LogRhythm, noted that because users often utilise the same password for multiple accounts, cyber-criminals may be able to use the leaked information to access other sites if they can successfully map the compromised email address to the individual that owns it.

Yahoo is advising anyone who joined Associated Content prior to May 2010 using their Yahoo email address to log into their Yahoo account and go through the steps of changing and validating their credentials.

“At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products,” the company blogged. “We sincerely apologise to all affected users.”

Do you know the secrets of Wi-Fi? Take our quiz.