450K Yahoo User Id's Hacked

[ritchie58]

By, Steven Musil

Yahoo has been the victim of a security breach that yielded hundreds of thousands of login credentials stored in plain text.

 

The hacked data, posted to the hacker site D33D Company, contained more than 453,000 login credentials and appears to have originated from the Web pioneer's network. The hackers, who said they used a union-based SQL injection technique to penetrate the Yahoo subdomain, intended the data dump to be a "wake-up call."

 

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the hackers said in a comment at the bottom of the data. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

 

The hacked subdomain appears to belong to Yahoo Voices, according to a TrustedSec report. Hackers apparently neglected to remove the host name from the data. That host name -- dbb1.ac.bf1.yahoo.com -- appears to be associated with the Yahoo Voices platform, which was formerly known as Associated Content.

 

 

Yahoo confirmed that it is looking into the matter. "We are currently investigating the claims of a compromise of Yahoo! user IDs," it said in a statement, according to the BBC. The company also told the BBC that it was unclear which portion of its network was affected, after first having said the problem originated at Yahoo Voice.

 

CNET has contacted Yahoo for comment independently and will update this report when we learn more.

 

Because the data is quite sensitive and displayed in plain text, CNET has elected not to link to the page, although it is not hard to find. However, the page size is very large and takes a while to load.

 

The disclosure comes at a time of heightened awareness over password security. Recent high-profile password thefts at LinkedIn, eHarmony, and Last.fm contributed to approximately 8 million passwords posted in two separate lists to hacker sites in early June. Yesterday, Formspring announced it had disabled the passwords of its entire user base after discovering about 420,000 hashed passwords that appeared to come from the question-and-answer site were posted to a security forum.

 

Update July 12 at 6:35 a.m. PT: Added confirmation of Yahoo investigating the matter.

 

 

[ritchie58]

If there's one thing to learn from the recent security breach at Yahoo, it's that we need to be more creative with our passwords.

 

 

 

 

Hackers yesterday exposed more than 450,000 login credentials, which appeared to be gleaned from Yahoo. The hackers said they hoped this would be taken as a wake-up call to the parties responsible for the security of the hacked site, but individuals should also see this as a warning to strengthen their own personal passwords.

 

CNET's Declan McCullagh wrote a program to analyze the most frequently used passwords and e-mail domains that surfaced in the breach. The following tidbits are culled from his effort:

 

• 2,295: The number of times a sequential list of numbers was used, with "123456" by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.

 

• 160: The number of times "111111" is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative "000000" is used 71 times.

 

• 780: The number of times "password" was used as the password. Apparently, absolutely no thought went into security in these instances.

 

• 233: The number of times "password" was used in conjunction with a few numbers behind it. Apparently, the barest minimum of thoughts went into security here.

 

• 437: The number of times "welcome" is used. With a password like that, you're just asking to be hacked.

 

• 333: The number of times "ninja" is used. Pirates, unfortunately, didn't make the list.

 

• 137,559: The number of Yahoo credentials that were leaked.

 

• 106,873: The number of Gmail credentials that were leaked. Hotmail, which was the next most frequently cited e-mail service, had fewer than half the number of users hit.

 

• 161: The number of times "freedom" is used, suggesting a lot of patriotic users. "America" was used 68 times.

 

• 161: The number of times the f-word is used in some combination. There are a lot of angry people out there.

 

• 133: The number of times "baseball" appears as a password. It's the most popular sport on the list, proving that it is indeed America's national pastime. It just may not be the best password.

 

• 106: The number of times "superman" is used as a password. That's nearly double the amount of times "batman" is used and triple the frequency of "spiderman."

 

• 52: The number of times "starwars" is used. The force is not with this password.

 

• 32: The number of times "lakers" appears. It tied with "maverick," although fortunately "the_heat" or "celtics" weren't on this list.

 

• 56: The number of times "winner" is used.

 

• 27: The number of times "ncc1701" is used as a password. For those of you who aren't trekkies, that's the designation code for the Starship Enterprise. "startrek" is used 17 times, while "ncc1701a," the designation for the Enterprise used in later Star Trek movies, is used 15 times.

 

Chances are, if you're a trekkie or comic book fan, you should probably change up your password. By, Roger Chen & Declan McCullagh, CNET contributing editors

[ritchie58]

To change the password on your Yahoo! account:

 

1. Go to your Yahoo! Account's Information page.
2. Enter the Yahoo! ID and password credentials for the account you're changing.
   Note: For enhanced security, you will be asked to sign into your account again if you are already signed in.
3. Once signed in, select Change your password, located below "Sign-In and Security."
   Note: You may experience fewer account security issues if you utilize a strong password. See our help article with tips for creating a strong, secure password to learn more.
4. Follow the on-screen instructions to enter your current password, then enter and confirm your new password.
5. Click Save to submit and confirm your password changes.

For a complete walkthrough of these steps, please check out our video tutorial below which also outlines tips for creating a strong, secure password.

 

 

 

 

 

 

Remember, your password always applies to your entire Yahoo! account, meaning that a change to your password will update it for all of the Yahoo! services used with that account (Yahoo! Mail, Yahoo! Messenger, Yahoo! Finance, Yahoo! Mobile, etc.)

 

Note: If you are a customer of one of our partners (AT&T, Verizon, etc.), you may need to contact their customer support for further assistance. If that need arises, please find our partner's customer support contact information below:

 

• AT&T
• BT
• Frontier
• Nokia
• Rogers Canadian
• Rogers Canadien
• Telecom New Zealand
• Verizon

Additional Information

For tips about safeguarding your Yahoo! account, visit the Yahoo! Security Center.

 

 

[ritchie58]

My roommate and I both have Yahoo accounts. I changed our passwords just to be on the safe side! It's not that hard if you just follow the directions from the previous thread I posted which, btw, came directly from Yahoo. If you have a Yahoo account I would "highly recommend" you change yours too! Hackers sure seem to be very busy the last few months! Regards, Ritchie...