Yahoo, which has taken its share of hits in the last few years, added another black mark against it today when the theft of more than 400,000 accounts and as many as 450,000, including email addresses and passwords, was discovered.
The hacked emails and passwords were posted in a large text file.
The theft has been credited to a black-hat hacking crew called D33D, who most likely breached the server for Yahoo Voices, previously known as Associated Content, with an SQL injection hack. Because Yahoo purchased Associated Content in 2010, many non-Yahoo identities have been breached, including some with Google and AOL emails.
According to the Guardian, some names date back to 2006 and may be from an old list.
Seeing one's users hacked is bad news to begin with for any company, but it appears that the passwords stolen from Yahoo were not encrypted. As Information Week noted, this could put Yahoo in position to be prosecuted. Yahoo has claimed publicly that the information was protected. However if it turns out that such data was not encrypted properly, a court may find those claims to be fraudulent. As security researcher Christopher Soghoian tweeted, “Strong chance of FTC deception case re: Yahoo password breach via claim it maintains reasonable electronic safeguards.”
CNET sorted through the hacked passwords to discover sequential numbers were used 2,295 times. Among the most popular passwords in the file were “123456,” “111111,” “password” and “password” plus numbers.
The hackers told several publications “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call.” By so doing, D33D make a claim for being do-gooders. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
If you have used Yahoo Voices or Associated Content, Dazzlepod has made the information searchable by account name.