Yahoo said Thursday it is investigating a security breach. Although Yahoo, at first, did not disclose the size of the alleged breach, a group of hackers calling themselves D33D Company said they have posted online more than 450,000 login credentials.
Yahoo said it was investigating the "Compromise of Yahoo! users IDs." According to The Associated Press, Yahoo's Head of U.K. Consumer PR Caroline MacLeod-Smith, said she could not immediately provide details of the breach because "we are still investigating it."
But later, in a statement to TechCrunch, Yahoo! said:
"At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."
The previously unknown hacker group D33D Company, said they stole the passwords using an "SQL injection." This refers to a commonly used method of attack in which the hacker uses "rogue commands" to extract data from a vulnerable site.
The group said: “We hope that the parties responsible for managing the security of this sub-domain will take this as a wake-up call.”
AP reports that a Ukraine-registered website associated with D33D Company could not be reached as the email address and phone number quoted for the company appeared invalid.
"It's way bigger than Yahoo!"Reuters reports that a security firm Rapid7, said that the data file the hackers published on the Web contained logins and cleartext passwords for Yahoo as well as several other Internet services, including Google Inc's Gmail, AOL as well as Microsoft Corp's Hotmail, MSN and Live sites.
Reuters reports that Rapid7 researcher Marcus Carey, said: "It's way bigger than Yahoo. We can assume that tens of thousands of people on services outside of Yahoo could be compromised."
Yahoo spokeswoman Dana Lengkeek, said an "older file" was stolen from Yahoo Contributor Network, an Internet publishing service Yahoo purchased about two years ago. Lengkeek said: "We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised."
The tech site CNet, also reports that Yahoo has suffered a major password breach. According to CNet, the hacker collective called D33D Co. published login credentials obtained from Yahoo's "Contributor Network" site using a "union-based SQL injection," a method for tricking the database on a poorly secured site to divulge private information. CNet reports that the Yahoo Contributor Network, formerly a content farm called Associated Content, was purchased by Yahoo for more than $100 million. According to CNet, the published files contain "huge number" of login credentials for many other email services. (Gmail: 106,873; Hotmail: 55,148, AOL: 25,521).
CNet indicts Yahoo of a "significant security failure," explaining that passwords are usually "cryptographically masked" in a process called "hashing" to prevent the type of attack that occurred.
The hackers claim they released the information to point out Yahoo's lax security and not for any mischief.
What to do?CNet advises that everyone with a Yahoo ID should assume that it is no more secure and that they should change their passwords.
The website advises that you should change your passwords, especially if you have used the same password for any other major service, particularly for sensitive accounts such as banking, investing, or email.
Mashable reports that Sucuri Malware Labs says users can check to see if their email account via Yahoo! Voices was part of the leak by just clicking here.
CBC reports that the breach follows an incident last month in which eight million passwords belonging to LinkedIn users, the music streaming site Last.fm, and the online dating site eHarmony, were leaked to a hacker forum.