Over 450,000 Yahoo Accounts Hacked and Posted Online
Hackers called D33Ds Company, claim to have breached Yahoo's security and posted usernames and passwords of more than 453,000 user accounts online.
The attack seems to have retrieved the login credentials in plaintext from a Yahoo service, which is suspected to be Yahoo Voices. Because all the details are stored in plaintext, anyone with an account which has been compromised could be open to further breaches if they use that same password on other accounts such as Twitter, Facebook or email.
Indeed there are also reported breaches of Android Forums and social network FormSpring, which has 30 million users. It is unclear at this stage if the attacks are linked but users of both Android Forums and FormSpring are being told to change their passwords and to check if they use the same password on other sites.
Yahoo Voice is a service which allows users to publish their own content online. Yahoo bought Associated Content in 2010 for $100m (£64.7m) before turning it into Yahoo Voices. The company claims the service is being used by 600,000 people but has not commented on the breach so far.
The data was posted on D33Ds Company's website, but at the time of publication (12.30pm, 12 July) it had been taken offline.
SQL Injection
The hackers used an attack which is known as a union-based SQL injection which preys on poorly secured web applications which do not scan data entered into input fields, such as a search box, properly.
The main issue arising from this data dump in terms of security is that it reveals Yahoo stores at least some of its users' sensitive information in plaintext, unlike Android Forums and FormSpring, which both encrypted their passwords.
This means the hackers who stole the passwords could begin using them on other sites immediately without having to crack them, potentially making this a much bigger problem for Yahoo.
Analysis of the passwords posted online by the hackers has been carried out by Ander Nilsson, CTO at Eurosecure, and posted the top ten passwords found which include perennial favourties "123456", "password" and "qwerty".
Nilsson also looked at the frequency of various email domains used to register for the Yahoo Voices service and while Yahoo.com, Gmail.com and Hotmail.com were the three largest, Nilsson also found 1,870 instances of .edu addresses, along with 93 .gov addresses and 81 .mil addresses.
This suggests contributors using these addresses work for the military and the government, and may have access to sensitive military and government information. If they use the same password for their email accounts as they did for Yahoo Voices, they could be vulnerable to a serious attack.
A note at the bottom of the data dump from D33Ds Company suggest they are not looking to use the information gathered for malicious purposes, but the fact it was available for anyone to see, then others may take a different view.
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
© Copyright IBTimes 2024. All rights reserved.