“The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public,” the firm wrote in a blog post on the incident, adding, “The method for the compromise was apparently a SQL Injection attack to extract the sensitive information from the database.”
The site listing the email addresses and passwords is down at the time of writing, but according to Ars Technica the information was accompanied by the following message from the hackers:
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.” It continued, “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
It appears that it’s the Yahoo Voices server which has been compromised by the hackers. Yahoo Voices, an article creation and distribution site, was formerly known as Associated Content until it was bought for $100 million in 2010. However, some news outlets are saying the server belongs to the Skype-like Yahoo Voice service.
Either way, there’s been no word yet from Yahoo on the situation. Meanwhile, any Yahoo members worried that their information may have been posted by the hackers should change their password pronto.
- Ransomware shifts focus from holding passwords hostage to hijacking your PC
- Hackers could have credit card numbers of 880,000 Orbitz users
- Hackers seize Atlanta’s network system, demand $51,000 in Bitcoin as ransom
- Some Gmail users woke up to find spam sent from their accounts
- Under Armour: 150 million MyFitnessPal accounts were hacked