Yahoo Says Breached Security Hole Has Been Closed

The company is advising Yahoo customers who joined Associated Content prior to May 2010 to change their passwords.

Yahoo officials say the vulnerability exploited by hackers that compromised about 450,000 emails and passwords has been fixed.

The company confirmed July 12 that hackers had accessed an old file containing the sensitive information belonging to users of the Yahoo Contributor Network. The information was linked to writers who joined Associated Content -- now known as Yahoo Voices -- prior to its acquisition by Yahoo in May 2010.

"We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users," the company said in a July 13 blog post. "In addition, we will continue to take significant measures to protect our users and their data."

The breach was committed by a group of hackers known as D33Ds Company, which posted a text file with the information online and said it used union-based SQL injection to swipe the information. Besides Yahoo email addresses, the list also included email addresses for Gmail, Hotmail, AOL and other services. Users of the Yahoo Contributor Network can sign up using their Google or Facebook IDs, which accounts for the various emails listed.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," D33Ds said in a message accompanying the leaked data. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

Fewer than 5 percent of the Yahoo accounts listed had valid passwords, a spokesperson told eWEEK July 12.

"Sadly, this breach highlights how enterprises continue to neglect basic security practices," blogged Rob Rachwald, director of security strategy at Imperva. "According to the hackers, the breach was enabled by union-based SQL injection vulnerability in the application which is a well-known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide."

This article was originally published on 07-16-2012
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.

Click for a full list of Newsletterssubmit