Hackers Snatch 400K Yahoo Passwords
In yet another example of the growing threat of cybercrime, hackers compromised and published passwords belonging to at least 400,000 users of one of Yahoo’s services.
Yahoo said in an emailed statement that hackers stole an “older file” containing the usernames and passwords of users of Yahoo and other companies from the Yahoo Contributor Network on Wednesday. The media company said less than 5% of the Yahoo passwords were still valid, although it didn’t specify the proportion of passwords from other companies that remained usable.
“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” the statement said.
The Sunnyvale, California-based company encouraged users of the service that allows people to contribute articles, slideshows and other work to change their passwords.
The hacking group D33Ds posted the list to its website in a document titled “Owned and Exposed,” according to computer security firm Sophos. D33Ds said in the document that the hack represented a “wake-up call” and not a threat. However, the passwords were recorded in an unencrypted format, meaning would-be hackers would have to do little to no extra work utilize them to compromise accounts.
“The unencrypted data was surprising,” Beth Jones, a senior IT threat researcher at Sophos wrote in an email. “Any customer data should be secured, no matter how innocuous it may seem.”
D33Ds said it was able to achieve the hack by using a method referred to as “SQL injection,” according to Sohpos. The method essentially involves tricking the Web server in such a way that the database storing the passwords can be controlled, allowing the hackers to access information stored on it.
SQL injection is “a very common hacking technique that’s been around for ages, and also one that many businesses seem to fall prey to,” Jones wrote.
This attack follows other high-profile breaches, including one on professional network LinkedIn (LNKD) last month in which some 6.5 million passwords were compromised. Smaller companies like eHarmony and Last.fm have also fallen victim to attacks recently.
“No one is immune to being attacked, that’s part of reality now,” Jones wrote.