Earlier this week, the hacker group D33ds Company claimed responsibility for attacking a Yahoo service and exposing 450,000 plain text login credentials. Yahoo then confirmed that the accounts were compromised, though it emphasized less than 5 percent of the credentials were valid. Yahoo today closed the saga by fixing the flaw in question.
The Web giant provided the following statement to ZDNet sister site CNET:
Yahoo recently confirmed that an older file containing approximately 450,000 e-mail addresses and passwords was compromised. The compromised information was provided by writers who had joined Associated Content prior to May 2010, when it was acquired by Yahoo. (Associated Content is now the Yahoo Contributor Network.) This compromised file was a standalone file that was not used to grant access to Yahoo systems and services.
We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo users, enhanced our underlying security controls, and are in the process of notifying affected users. In addition, we will continue to take significant measures to protect our users and their data.
If you joined Associated Content prior to May 2010 using your Yahoo e-mail address, please log in to your Yahoo account, where you may be prompted to answer a series of authentication questions to change and validate your credentials.
Interestingly, the last time Yahoo provided a statement, the number of compromised accounts was 400,000. This time, they decided to round down. In my article " The top 10 passwords from the Yahoo hack: Is yours one of them?" yesterday, I noted that the actual number was 442,773 passwords, compared to the originally reported number: 453,492 passwords. Either way, it's reassuring to remember that only a fraction of these were valid at the time of the breach.
In case you've been living under a rock this past week, you can check whether your account was compromised here: Sucuri. If you have a Yahoo account, you should change your password, just to be on the safe side. Furthermore, if you use the same e-mail address and password combination elsewhere, you should change it there as well.
- NSA: Cybercrime is 'the greatest transfer of wealth in history'
- FBI: US losing hacker war
- Richard Clarke: China has hacked every major US company
- US and China test response capabilities via cyber war games
- Anonymous wants to take down the Great Firewall of China
- Anonymous hacks hundreds of Chinese government sites
- China admits Anonymous hacks