Yahoo Apologizes, Fixes Security Gap
Michael Harper for redOrbit.com – Your Universe Online
Five days after a group of hackers broke into some Yahoo servers, stole some plaintext passwords and posted them online for all to see, the Sunnyvale company has announced they’ve resolved the issue.
“Yahoo! recently confirmed that an older file containing approximately 450,000 email addresses and passwords was compromised,” writes Yahoo on their company blog.
“This compromised file was a standalone file that was not used to grant access to Yahoo! systems and services.”
“We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users. In addition, we will continue to take significant measures to protect our users and their data.”
Yahoo is now asking anyone who joined their associated content service with a Yahoo account before May 2010 to confirm their identity and change their passwords.
Yahoo apologized at the close of their letter and encouraged their users once more to change their passwords on a regular basis. Yahoo didn’t offer any specific details as to how they had fixed the hole or what measures they’re taking to prevent this kind of leak from happening again
The hacking collective — who call themselves D33Ds Company — said they were able to break into the servers using an SQL injection, fooling the servers into giving up the account names and passwords. The D33Ds collective then dumped their list of names and passwords online.
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.”
“There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
As many people have one account name and password for many sites, other web services also reported some of their users had been compromised as a result of the most recent password dump. While D33Ds may have only wanted to issue a wake-up call, others on the internet weren’t so kind. Users of AOL, Google and Microsoft have reported having these accounts compromised as well. AOL, for example, said they had 1,700 accounts compromised last week as a result of the Yahoo password dump. AT&T, Comcast and Verizon also reported having some of their users’ accounts compromised as well.
Less than 2 months ago, eHarmony, Last.FM and LinkedIn had their passwords dumped on the internet in a larger data attack. Though no hacker or hacker collective owned up to these attacks, More than 6.5 million eHarmony, Last.FM and LinkedIn passwords were dumped onto a Russian hacking forum.
While this earlier password dump was exponentially larger, it only contained passwords. Yahoo’s recent privacy slip up saw account names and passwords dumped, making it much more dangerous.
As is often the tagline to stories such as these, it is greatly recommended that anyone with old or outdated passwords change them immediately and often. Likewise, anyone using one password for multiple sites should consider adopting different password for each site.