Yahoo confirms 400,000 accounts hacked, less than 5% valid

Yahoo confirms 400,000 accounts hacked, less than 5% valid

Summary: Yahoo has confirmed that it has seen some 400,000 of its accounts compromised. The company has downplayed the issue, however, saying that the majority of the credentials are invalid.

TOPICS: Security

Update on July 13 - Yahoo fixes flaw behind 450,000 account hack

Yahoo confirms 400,000 accounts hacked, less than 5% valid

Yesterday the hacker group D33ds Company claimed responsibility for attacking a Yahoo service via a union-based SQL injection and exposing 453,492 plain text login credentials. Last we heard, Yahoo was investigating the claims of accounts being compromised. To be on the safe side, the Web giant urged its users to change their passwords on a regular basis. Now, Yahoo has confirmed the breach.

See also - The top 10 passwords from the Yahoo hack: Is yours one of them?

"At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products," a Yahoo spokesperson said in a statement obtained by TechCrunch. "We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at"

The most important part of this confirmation is that the swiped file is "old" and Yahoo believes less than 5 percent of the credentials are valid. This means less than 22,500 users are affected by this breach, according to Yahoo anyway.

Hopefully some of them have already changed their passwords. In fact, if you have a Yahoo account, you should change your password, just to be on the safe side. Furthermore, if you use the same e-mail address and password combination elsewhere, you should change it there as well.

It's also worth noting that Yahoo Voices, the purported service that the accounts were used for, is not explicitly mentioned. It's all one and the same: Yahoo Voices is the name that consumers see, Yahoo Contributor Network is what the company refers to it internally, and Associated Content is what the service was called when Yahoo acquired it in 2010.

Update on July 13 - Yahoo fixes flaw behind 450,000 account hack

See also:

Topic: Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And of course...

    "password" and its variants like "password123" and "123456" are extremely popular choices for passwords.
    gork platter
  • Yahoo security? Nope, doesn't exist.

    I created a Yahoo account. The email address was very much non-dictionary and could not easily be guessed. I never once used the email account nor did I provide anyone with the email address. Regardless, within two days I began receiving dozens (sometimes hundreds) of spam messages every day. Obviously, someone was able to access my account to determine the email address. I guess I don't care because I don't use the email portion of this account and I just let the spam flow in without worrying about it. However, it was very clear that I should never provide Yahoo with personal info of any kind. They have my name. That's about it.
  • YahooSecure

    John Zent, the guy who could have prevented the 9/11 attacks, works for Yahoo! The former FBI agent is now their head Security Expert. He was also Ali Muhamed's FBI handler in the early '90s. According to the book 'Triple Cross' he let Ali Muhamed slip through his fingers. Ali Muhamed being one of the masterminds behind the 9/11 attack. John Zent was the first person to ever hear the words al Qaeda in relation to a terrorist organization.

    Fellow FBI agents described Zent as 'hapless'. FBI agent John Zent actually vouched for Ali Muhamed when Muhamed was in police custody in Canada. Were it not for John Zent's careless mistakes, Ali Muhamed would not have had the freedom to execute the Black Hawk down incident in Somalia or the U.S. Embassy bombings in Africa, or 9/11.

    It seems that bad decision making is something that Yahoo's John Zent is prone to however, as he also vouched for a triple murderer. The murderer just happened to be dating his daughter. Did I mention that the murderer murdered his parents and sister for insurance money and that John Zent's daughter continued dating this murderer after the police investigation started to focus on him? It's been speculated that Zent's daughter actually knew about the plot and was possibly in on it. Rather than distancing himself and his family from the murderer, John Zent embraced him and testified in court for the defendant. Special Agent John Zent was embroiled in this controversy with his daughter while he should have been focused on Ali Muhamed. His daughter is now a highly paid lawyer in California now, despite her past known record of lying in court.

    Way to pick them Yahoo! You got a real upstanding citizen working for you there. No wonder things are not that secure there, if the FBI version of Barney Fife is in charge. Last time there was a security issue at the company, Zent threatened to call to the Sunnyvale Police on them if they didn't stop picking on Yahoo. True story!

    2,752 people died in the September 11th attacks.
    Ninth Life
    • Sports - terrorist crossover

      Do you mean Ali Muhamed the boxer? Float like a butterfly, sting like a bee! I never would have guessed he had it in him.
      Vexing Concern
  • Does Yahoo really know about security?

    "At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products,"

    To the point of being hacked by a simple SQL Injection attack?
  • yahoo email

    Yahoo email hacking is the constant problem. My account was hacked and computers with IPs from East Europe and Mexico, and android phones sent spam with my name and with indecent offerings. All my attempts to attract yahoo attention to my problem were pointless: they simply do not care. Eventually, I cancelled my yahoo email account with my name and now have “the shopper” account. I keep it for coupons and sellers’ offers, and now I do not care if spam comes from “the shopper.” In general, I think that yahoo is not worthy to stay in the market. If to choose between yahoo email and traditional federal post, I would prefer federal mail. I think, soon we reverse to the medieval pigeon mail or come back to traditional paper mail. That what exists now is nothing but a problem.
    • Have to agree with you

      I have had several female friends whose Yahoo accounts sent me opportunities of various sorts. Kind of rough getting a suggestion I need Viagra from somebody who I thought didn't have any reason to know.
  • Yahoo

    Why yahoo is doing like this?
  • Check if your Yahoo account was hacked!

    Check if your Yahoo account was hacked! -
  • Impliment 2 Factor Authentication

    It is just annoying the fact that we are still living in a password world. Almost everything is still only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control. People need to understand that neither the strength of your password or having it locked-up in Fort Knox will mean anything when it is stolen from the source! The only real solution is to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will of help to their customers if they implement some form of a two-step or two-factor authentication were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account. And it is available to their users it is called “second sign-in verification”.