Yahoo Loses 453,000 User Passwords to Hackers

From DailyTech: Hackers with "D33ds Company" have posted 453,000 passwords from Yahoo! Inc.'s (YHOO) Voices -- a part of its news service. Bafflingly, Yahoo administrators apparently opted for no encryption of the passwords, storing them in plain-text.

Hackers scooped up the passwords using SQL injection, according to TrustedSec.

The hackers write on their text dump:

We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.

They were at least kind enough not to publish details of how the penetrated Yahoo's servers.

Yahoo insists that it's not that big a deal, saying that only 5 percent of the user passwords would pass as valid passwords on its other sites, hence most users day-to-day passswords were likely not compromised.

It does apologize, though, for the inconvenience, writing:

At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised.

View: Article @ Source Site