Of that amount, less than 5 percent of the Yahoo accounts had valid passwords, the company told eWEEK. Besides Yahoo email addresses, the list also included email addresses for Gmail, Hotmail, AOL and other services. Users of the Yahoo Contributor Network can sign up using their Google or Facebook IDs, which accounts for the various emails listed.
"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users' accounts may have been compromised," a spokesperson said. "We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."
The breach occurred courtesy of a group of hackers known as "D33Ds Company," which posted a text file with the information online and said they used union-based SQL injection to swipe the information.
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," D33Ds said in a message accompanying the leaked data. "There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
This is definitely a teachable moment on how not to store passwords in databases, said Marcus Carey, security researcher with Rapid7.
"This should be Application Development 101' at this point not to store passwords in clear text," Carey said.
Ron Gula, CEO and CTO of Tenable Network Security, agreed, noting that if the compromised file had only contained encrypted passwords, the hackers may not have realized what they had obtained.
"As with any type of social network service, if you reuse a password among many different sites, hackers may attempt to reuse these for other sites, such as your bank's Website," he said. "Yahoo is taking the right steps to fix and close this issue and notify their customers."
The Yahoo breach comes on the back of reports earlier this week of a leak affecting social networking site Formspring, which reported that 420,000 password hashes belonging to Formspring users had been posted to a hacking forum.
"Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach," blogged Formspring founder Ade Olonoh. "We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.
"We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security," he added. "We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again."
-->Yahoo Says It Has Closed Security Hole Exploited in Breach:
Yahoo officials say the vulnerability exploited by hackers that compromised about 450,000 emails and passwords has been fixed.
The company confirmed July 12 that hackers had accessed an old file containing the sensitive information belonging to users of the Yahoo Contributor Network. The information was linked to writers who joined Associated Content now known as Yahoo Voices prior to its acquisition by Yahoo in May 2010.
"We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users," the company said in a July 13 blog post. "In addition, we will continue to take significant measures to protect our users and their data."
