Yahoo appears to have been the victim of a security breach that yielded more than hundreds of thousands of login credentials stored in plain text. The hacked data, posted to the hacker site D33D Company, contained more than 453,000 login credentials and appears to have originated from the Web pioneer’s network. The hackers, who said they used a union-based SQL injection technique to penetrate the Yahoo subdomain, intended the data dump to be a “wake-up call.”
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the hackers said in a comment at the bottom of the data. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
The hacked subdomain appears to belong to Yahoo Voices, according to a TrustedSec report. Hackers apparently neglected to remove the host name from the data. That host name — dbb1.ac.bf1.yahoo.com — appears to be associated with the Yahoo Voices platform, which was formerly known as Associated Content.
Because the data is quite sensitive and displayed in plain text, Blowfish12 has elected not to link to the page, although it is not hard to find. However, the page size is very large and takes a while to load.
The disclosure comes at a time of heightened awareness over password security. Recent high-profile password thefts at LinkedIn, eHarmony, and Last.fm contributed to approximately 8 million passwords posted in two separate lists to hacker sites in early June. Yesterday, Formspring announced it had disabled the passwords of its entire user base after discovering about 420,000 hashed passwords that appeared to come from the question-and-answer site were posted to a security forum.
Blowfish12@2012 blowfish12.tk Author: Sudharsun. P. R.
- Hackers raid Yahoo (news.techeye.net)
- Over 450,000 Usernames and Passwords Leaked, Likely from Yahoo! Voices (news.softpedia.com)
- Yahoo Hacked, 400000+ Passwords Leaked (valuewalk.com)
- Hackers expose 453,000 credentials allegedly taken from Yahoo service (arstechnica.com)
- Hackers Spill 453,000 Yahoo Credentials on the Internet (hotforsecurity.com)
- 450,000 email addresses and plain-text passwords in circulation (h-online.com)
- Yahoo gets hacked as 400,000+ plaintext credentials are posted online (thenextweb.com)
- Over 450,000 emails and passwords allegedly stolen from Yahoo (infoworld.com)