Yahoo Passwords Hacked And Posted Online

Yahoo has admitted that it has been hacked, and more than 450,000Yahoo passwords have been posted online – most likely from the Yahoo Voices online discussion and publication site. Security experts say the problem has been made worse by Yahoo storing its passwords unencrypted.

The huge list of credentials, in plain text, were posted to the hacker community site D33D company, having been extracted by what the attackers describe as an an SQL injection technique.

Yahoo Voices hacked?

A Yahoo statement has acknowledged the problem and advised users to follow normal security procedures, including changing passwords regularly.

Yahoo has not confirmed which service was hit, but security site TrustedSec checked the details posted, and found the hackers had not deleted all the domain details. A domain name called “”  led them to the conclusion that the service involved is Yahoo Voices.

“The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public,” TrustedSec commented. Others have pointed out that the passwords may turn out to be an old file and not current user names.

Passwords should always be kept in encrypted form and the encrypted hash files should be “salted” to make them harder to decrypt. Business social networking site LinkedIn is facing legal action because its password file was stolen, and had been encrypted but not salted.

The hackers claimed the attack was a “wake up call” to expose lax security at the Internet giant, entering a Yahoo subdomain and stealing the data.  A message posted with the data read: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

Other recent security issues at Yahoo! include a browser app called Axis which leaked its private key. Yahoo’s HotJobs site was shown to have a SQL injection weakness in 2009.

Yahoo’s full statement in response to the hack reads:

“At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We are currently investigating the claims of a compromise of Yahoo! user IDs. We encourage users to change their passwords on a regular basis and also familiarise themselves with our online safety tips at”

Are you a security boff? Try our quiz!

Peter Judge

Peter Judge has been involved with tech B2B publishing in the UK for many years, working at Ziff-Davis, ZDNet, IDG and Reed. His main interests are networking security, mobility and cloud

Recent Posts

Facebook Demands Old FTC Documents In Antitrust Battle

Fresh development in Meta's battle against US regulator, seeking to force Facebook to divest itself…

4 hours ago

Fate Of Newport Wafer Fab Uncertain, As Government Delays Sale Decision

Government delays decision over whether the UK's largest maker of chips can be purchased by…

5 hours ago

Amazon Faces UK Investigation For Suspected Anti-competitive Practices

Another probe. Busy week for the UK's CMA after it confirms investigation of Amazon over…

22 hours ago

UK Regulator Begin Probe Of Microsoft’s Activision Buyout

The CMA confirms start of investigation into Microsoft's $69 billion purchase of leading gaming holding…

23 hours ago

Online Safety Bill Tweak To Combat Russian Misinformation

Foreign interference and misinformation to be designated a priority offence under Online Safety Bill, the…

1 day ago