Yahoo has admitted that it has been hacked, and more than 450,000Yahoo passwords have been posted online – most likely from the Yahoo Voices online discussion and publication site. Security experts say the problem has been made worse by Yahoo storing its passwords unencrypted.
The huge list of credentials, in plain text, were posted to the hacker community site D33D company, having been extracted by what the attackers describe as an an SQL injection technique.
A Yahoo statement has acknowledged the problem and advised users to follow normal security procedures, including changing passwords regularly.
Yahoo has not confirmed which service was hit, but security site TrustedSec checked the details posted, and found the hackers had not deleted all the domain details. A domain name called “dbb1.ac.bf1.yahoo.com” led them to the conclusion that the service involved is Yahoo Voices.
“The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public,” TrustedSec commented. Others have pointed out that the passwords may turn out to be an old file and not current user names.
Passwords should always be kept in encrypted form and the encrypted hash files should be “salted” to make them harder to decrypt. Business social networking site LinkedIn is facing legal action because its password file was stolen, and had been encrypted but not salted.
The hackers claimed the attack was a “wake up call” to expose lax security at the Internet giant, entering a Yahoo subdomain and stealing the data. A message posted with the data read: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
Other recent security issues at Yahoo! include a browser app called Axis which leaked its private key. Yahoo’s HotJobs site was shown to have a SQL injection weakness in 2009.
Yahoo’s full statement in response to the hack reads:
“At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We are currently investigating the claims of a compromise of Yahoo! user IDs. We encourage users to change their passwords on a regular basis and also familiarise themselves with our online safety tips at security.yahoo.com.”
Are you a security boff? Try our quiz!