“The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public,” the firm wrote in a blog post on the incident, adding, “The method for the compromise was apparently a SQL Injection attack to extract the sensitive information from the database.”
The site listing the email addresses and passwords is down at the time of writing, but according to Ars Technica the information was accompanied by the following message from the hackers:
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.” It continued, “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
It appears that it’s the Yahoo Voices server which has been compromised by the hackers. Yahoo Voices, an article creation and distribution site, was formerly known as Associated Content until it was bought for $100 million in 2010. However, some news outlets are saying the server belongs to the Skype-like Yahoo Voice service.
Either way, there’s been no word yet from Yahoo on the situation. Meanwhile, any Yahoo members worried that their information may have been posted by the hackers should change their password pronto.