Must Read: Mint 15: Today's best Linux desktop (Review)

Topic: Security

450,000 user passwords leaked in Yahoo breach

Summary: A hacker group claims responsibility for attack on a Yahoo service, exposing more than 450,000 plain text login credentials.

Jamie Yap

By |

Former Web portal Yahoo has apparently suffered a data breach, resulting in more than 450,000 plain text login credentials pilfered by a group claiming responsibility for the attack.

Ars Technica reported on Thursday that a hacker group, known as D33Ds Company, said in a post it had penetrated the Yahoo subdomain using what is known as a union-based SQL injection. This intrusion technique targets poorly secured Web applications that do not properly scrutinise text entered into search boxes and other user input fields. 

The Yahoo service in question appears to be Yahoo Voice--also known as Associated Content, before the media company acquired it in 2010--according to security blog TrustedSec.

Yahoo breach updates:

Hackers had not removed the host name from the data, leading security experts to suggest dbb1.ac.bf1.yahoo.com being associated with the Yahoo Voices platform.

ZDNet tried accessing D33Ds' post but the server appears to be down at the time of writing. Torrents have already hit file- and magnet-link sharing sites, such as The Pirate Bay, making the password cache readily available.

Sister site CNET notes that many of the passwords have already been cracked. Crunching the numbers, more than 230 accounts had "password" as their password, for example.

By injecting database commands into them, attackers can trick backend servers into dumping huge amounts of sensitive information, the report said.

The hacker group posted what it claimed were plaintext credentials for some 453,492 Yahoo accounts. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," it said in its post.

"There have been many security holes exploited in Web servers belonging to Yahoo that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

It comes only a few weeks after LinkedIn, eHarmony, and Last.fm--which is owned by CBS, the same company that owns ZDNet--suffered breaches and led to a vast amount of unsalted passwords leaking online. The vast majority of passwords were cracked in a few hours.

A Yahoo spokesperson said: "We are currently investigating the claims of a compromise of Yahoo! user IDs," adding: "Users to "change their passwords on a regular basis," according to the BBC.

Updated at 2:20 p.m. BST: with additional details and clarifications.

Topic: Security

About

Jamie writes about technology, business and the most obvious intersection of the two that is software. Other variegated topics include--in one form or other--cloud, Web 2.0, apps, data, analytics, mobile, services, and the three Es: enterprises, executives and entrepreneurs. In a previous life, she was a writer covering a different but equally serious business called show business.

Google+ Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion

  • search list

    Searchable list at http://dazzlepod.com/yahoo/
    dazzlepod
    Reply 8 Votes

    • Thanks.

      I just checked. Not in the list. Thank you providing that link.
      Bozzer
      Reply Vote

  • Shame on Yahoo

    It does no good to teach people to create long hard passwords and to teach them to copy paste them if the databases we are entrusting with our information can be so easily got at XSS sql injection? these are methods that should have been plugged 3 years ago.
    Shame on yahoo lets hope they get off their asses and get some real security and database people employed the ones sittin on their asses and letting in all the pornbots to yahoo chat need to be fired.
    KineticArtist
    Reply 1 Vote

  • AND- - - -

    AND - Here it comes again.... Now it is your fault because you didn't change your password routinely??!!?? BS.... Did anyone challenge a hacker to hack into Yahoo (who is making big $$$ on the market) - I think not... Yes there are some "people" out there who don't listen/understand about passwords, opening up unknown party email, etc., but, how arte you going to convince ME that Yahoo took all of the required actions to protect their "clients"??? The current political parties don't listen to all of you knowledgeable IT Pros' - - SO - - Maybe it is time for the big biz corps to get the big biz orientated politians to get off of their collective asses and pass some meaningful laws/penities against hackinjg!!!!! Never happen you say - I AGREE, unless it was to happen to them!!!!
    Course, this is just a retired Ole Man rambling!!!!
    puppadave
    Reply Vote

    • We've got altogether too many laws in the United States already

      We definitely don't need more laws written by people with an agenda and/or without a clue.


      If you want a law, how about one that simply states that any company that has not taken all reasonable steps to prevent the theft of personal information shall pay a fine of some nominal number ($100 sounds good) per individual user name and be responsible for all continuing costs to any individuals who lost their data. Were such a law in place today, Yahoo would be facing a $45 million fine; you'd better believe they'd be making sure they were doing everything possible to prevent intrusions and data theft.
      NickNielsen
      Reply 1 Vote

      • a little misplaced responsibility here. the thief should be punished for

        taking the loaf, not the bread maker with the stand on the street.
        it is the responsibility of government to protect the people from thieves.
        assuming of course that the government is not harboring thieves itself.
        it is nearly impossible to erect enough barriers to prevent theft.
        let the perpetrator of the crime do the time.

        :)
        .
        wessonjoe
        Reply Vote

  • Really

    So, they "hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat" while making the password cache readily available.

    Well, whether or not "the parties responsible" seem to have forgotten that the threat is to the users who have had their passwords cracked.

    Let's see... I think a company has poor security. I will steal their stuff and publish their customer's logon credentials... see what a good boy am I.
    bb_apptix
    Reply Vote

  • Dear Ms Yap

    Last time I looked Yahoo IS an internet portal, not WAS, at least not yet.
    allis0
    Reply Vote

  • So surprising....

    Could not see that coming.

    Yahoo's got more inherent security flaws on multiple platforms ranging from it's e-mail service being particularly susceptible to phishing and address book attacks and spoofing. Yahoo has known about these problems for well over a decade--be it in Voice, IM itself, or their e-mail client, and they still act like they're ignorant these situations even exist.

    After all, why change it? It's only their users who get hurt. . . .

    And while I am very saddened for the victims (the users) and any harm or loss they might have suffered (knowing first hand the inherent sadness over the discontinuance of a service a person's invested time from THEIR lives into using due to a breach), I give kudos and props to D33Ds for publicly exposing these terrible flaws--and for doing so in a way that Yahoo should not (but probably will) ignore. I sincerely hope they were only exposing Yahoo for the sorry sack of low-budget services they are and do not plan to further harm the users.

    It is also my hope that enraged power users (aka hackers) will fight for the rights of the common user. Kudos guys! For too long, users have gotten screwed by bad EULAs and TOSes written by companies who produce equally bad software, hardware, or applications/websites. This has to stop (Microsoft). We do not even own our own purchased products and aren't entitled to a simple DVD/W of our purchase anymore?

    These companies are way too full of themselves.
    Rilriia
    Reply 2 Votes

    • wow, more misplaced anxiety over the criminal as hero here.

      so sad that thieves are revered for stealing customer info and posting it online so that others can continue to hurt the user.
      that group of perverts needs to be shut down before they hurt anyone else.
      wrong upon wrong doesn't make anything right.

      :)
      .
      wessonjoe
      Reply Vote

  • The default password

    when someone doesn't want spam but needs to signup for the first time, they tend to create another free account in Hotmail, yahoo, or some other free site that doesn't require a vaild phone number or some other type of verification. So something like "password" is used which is why these accounts are easily cracked.
    Maarek
    Reply Vote

  • My Password

    My password is the letter A :)
    Jackazz Inabox
    Reply Vote

  • people have

    weak passwords, and then cry about their accounts being compromised. Unless my password is stored in plaintext, enjoy trying to crack it.
    Jimster480
    Reply Vote

  • Cloud clients hurtle toward database Armageddon

    Cloud computing is the funnest most bestest new playground for hackers. Beware cloud trendsetters! This is just the tip of the iceberg. With cloud vendors reselling "enterprise" cloud anti software hackers are a login away from admin level data. Toyota is turning their cars into cloud cadets! It won't be long before our Health records are in the hands of big pharma and our cars are careening off bridges thanks to a hacker's paradise-- cloud computing, next stop, database Armageddon!
    jonathan@...
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close