We can now officially add Yahoo to the list of companies compromised due to hackers. Yahoo has confirmed that the usernames and passwords of more than 400,000 Yahoo Voices accounts were stolen from their servers earlier this week and that data was posted online. Indications were the information has since been removed, but a direct link to the original source seems to still exist and is accessible whenever the load is low enough. The breach wasn't just credentials for Yahoo, but also Gmail, AOL, Comcast, Hotmail, MSN, SBC Global, BellSouth, Verizon and Live.com as well.
The hackers responsible go by the name "D33D Company" whose website is registered out of Ukraine. They were quoted as saying they used SQL Injection to steal the passwords and apparently did this so they could show Yahoo how weak their software security was:
We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in Web servers belonging to Yahoo Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.
Yahoo has stated that the data came from an older file from the Yahoo! Contributor Network and that less than five percent of the emails had valid passwords.
As a response, Yahoo said that ta fix for this vulnerability is in the works, but the investigation is still underway and the system has not been fully secured yet. Yahoo apologized for the breach and has naturally advised all of its users to change their passwords. Their response was:
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.
Yahoo still not fixing the issue may sound very similar to last year, when companies such as Sony had many issues with data breaches on the PlayStation network. Sony took a good while before they were able to fix the issue. This story puts a pending confirmation of CEO Ross Levinsohn as the permanent CEO, in the shadows for now most likely.
You can run this script to determine if your account was affected. You could also google "yahoo-disclosure.txt" to see the actual file and live dangerously, but that really doesn't prove if you are compromised.
Use this QR code in a QR reader application on mobile to open quickly on a mobile device