450,000 user passwords leaked in Yahoo breach

A hacker group claims responsibility for attack on a Yahoo service, exposing more than 450,000 plain text login credentials.
Written by Jamie Yap, Contributor

Former Web portal Yahoo has apparently suffered a data breach, resulting in more than 450,000 plain text login credentials pilfered by a group claiming responsibility for the attack.

Ars Technica reported on Thursday that a hacker group, known as D33Ds Company, said in a post it had penetrated the Yahoo subdomain using what is known as a union-based SQL injection. This intrusion technique targets poorly secured Web applications that do not properly scrutinise text entered into search boxes and other user input fields. 

The Yahoo service in question appears to be Yahoo Voice--also known as Associated Content, before the media company acquired it in 2010--according to security blog TrustedSec.

Yahoo breach updates:

Hackers had not removed the host name from the data, leading security experts to suggest dbb1.ac.bf1.yahoo.com being associated with the Yahoo Voices platform.

ZDNet tried accessing D33Ds' post but the server appears to be down at the time of writing. Torrents have already hit file- and magnet-link sharing sites, such as The Pirate Bay, making the password cache readily available.

Sister site CNET notes that many of the passwords have already been cracked. Crunching the numbers, more than 230 accounts had "password" as their password, for example.

By injecting database commands into them, attackers can trick backend servers into dumping huge amounts of sensitive information, the report said.

The hacker group posted what it claimed were plaintext credentials for some 453,492 Yahoo accounts. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," it said in its post.

"There have been many security holes exploited in Web servers belonging to Yahoo that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

It comes only a few weeks after LinkedIn, eHarmony, and Last.fm--which is owned by CBS, the same company that owns ZDNet--suffered breaches and led to a vast amount of unsalted passwords leaking online. The vast majority of passwords were cracked in a few hours.

A Yahoo spokesperson said: "We are currently investigating the claims of a compromise of Yahoo! user IDs," adding: "Users to "change their passwords on a regular basis," according to the BBC.

Updated at 2:20 p.m. BST: with additional details and clarifications.

Editorial standards