July 12, 2012

Yahoo Hacked, 453,000 Passwords Stolen And Posted Online

Michael Harper for redOrbit.com - Your Universe Online

Yet another web service has been compromised this morning as hackers have stolen and leaked more than 453,000 Yahoo Voices accounts and passwords.

According to Ars Technica, the hackers say they retrieved the accounts and passwords from Yahoo´s server in plain text.

The hacking collective, known as D33Ds Company, said they were able to break into Yahoo´s subdomain using an SQL injection. These SQL injections input powerful database commands in otherwise poorly secured text input fields. The back-end servers are then duped and give up their sensitive information.

The D33Ds Company hackers then posted these plain text accounts and passwords online. All told, there were 453,492 Yahoo accounts violated.

The D33Ds Company hackers left a note with their stolen information, saying their theft shouldn´t be seen as a threat.

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.”

"There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

The cyber-criminals´ may not seek to harm any Yahoo Voices user by stealing their credentials from a Yahoo server, but other hackers might not be so kind. Posting these accounts and passwords online gives anyone the ability to do what they want with this information. As such, it´s highly recommended that all Yahoo Voices users change their passwords immediately, and preferably use a password not previously used by another web service, or worse, any financial institution.

Yahoo joins the ranks of eHarmony, Last.Fm and LinkedIn, as each of these sites have had their users´ passwords leaked online in the last 5 weeks.

Last month, Russian hackers began posting packets of data on hacking forums, asking for the global hacking community to help them crack the passwords found within. All told, more than 6.5 million passwords were compromised in the leak. While the eHarmony and LinkedIn leak exposed a much greater number of passwords to potentially dangerous hackers, today´s Yahoo Voices leak stands to be even more dangerous, as both accounts and passwords were leaked. Hackers had access to passwords only during last month´s leaks and, while they could have tracked down the account information, both eHarmony and LinkedIn hold that no user was compromised or harmed as a result of the leaks.

LinkedIn´s password hashes were also of the less-secure, unsalted variety, a security technique used and easily cracked since the 70s. LinkedIn later faced some scrutiny and even a lawsuit for not taking better care to protect their users´ data. If the Yahoo Voices accounts and passwords were, as the D33Ds hackers claim, stored in plain text form, Yahoo could face even more severe scrutiny for their lax security measures.

Again, any Yahoo Voices user should change their passwords immediately. If the same password is used on multiple sites, then each password should be changed, preferably to something unique for each site. The team at Sophos have put together a great tutorial suggesting ways to pick secure and unique passwords.