"We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised," said Yahoo spokesman Jon White via email. "Of these, less than 5% of the Yahoo! accounts had valid passwords."
Yahoo said the database breach occurred Wednesday, and that it had already patched the vulnerability exploited by the attacker or attackers. "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users, and notifying the companies whose users accounts may have been compromised," White said. "We apologize to all affected users."
Yahoo Contributor Network is an online platform for people to share video, audio, and slide shows, for which many users get paid, based on the traffic their content generates. In December 2011, Yahoo renamed the service as Yahoo Voices. Currently, contributors must log onto the service using a Facebook, Google, or Yahoo account.
A hacker or hacking group known as D33Ds Company leaked the Yahoo passwords Wednesday. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," read a note included at the end of the password dump. While D33Ds Company said it had used a "union-based SQL Injection" attack to effect the leak, it said it purposefully wasn't detailing the Yahoo subdomain it exploited, or the exact vulnerabilities used, so Yahoo would have time to fix the vulnerability.
All told, 453,479 usernames were leaked, of which at least 433,278 appear to be email addresses, according to an analysis published by Identity Finder. Most of the email addresses used (33%) were Yahoo accounts, followed by Gmail (25%), Hotmail (13%), AOL (6%), Comcast (2%), and MSN (1.5%).
According to Yahoo, less than 5% of the Yahoo usernames published in breach--meaning, about 6,400 usernames--were linked to a valid password. If that statistic applies to other email services as well, then it would mean that all told, about 20,000 individuals' passwords are at risk, unless they'd already changed those passwords.
While the leaked data appears to be at least partially outdated, the hackers behind the data breach likely had access to more user-provided personal details, noted Rob Rachwald, director of security strategy at Imperva.
"The usernames and password [list] seems to be obsolete, but the published file suggests that the hackers gained access to the whole database and were able to view some private data on 450,000 users such as full name, full address, phone number, bio, education, and date of birth," he said in a blog post.
"Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application, which is a well-known attack," Rachwald said. "To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no."
Editor's note: Corrected spelling of D33Ds hacker group.
Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)