Attention Yahoo! Voices users, now would probably be a good time to change your password. The plaintext logins for around 450 000 user accounts for the voice-calling service have been posted online.
According to security site Trusted Sec, the service was seriously vulnerable to attack:
No ad to show here.
The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public. The method for the compromise was apparently a SQL Injection attack to extract the sensitive information from the database.
According to Ars Technica, the attack was undertaken by a group called D33Ds Company, using a union-based SQL injection — a fairly common means of attacking poorly secured sites.
In the post revealing the attack, the hackers said it was intended as a “wake-up call” for “the parties responsible for managing the security of this subdomain” and “not as a threat”.
“There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage,” they said.
Yahoo! has since released a statement on the incident:
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.