Yahoo Security Breach Confirmed: 450K Yahoo Passwords Stolen
In the most recent Yahoo security breach, Yahoo has confirmed that more than 450k+ passwords and usernames have been stolen.
The Yahoo security breach was not immediately announced by Yahoo officials until the following day, however; it was released with this statement.
Yahoo’s most recent security breach is one of the worst in their history, officially leveraging Yahoo into the years ever growing list of internet sites with thousands of passwords stolen. Yahoo has confirmed in their news update that more than 450+ usernames and passwords have been stolen. These reportedly include high-profile company and business usernames through Yahoo Voices, a site that allows users to share their opinions through articles and etc., as well as to receive payment for those articles.
A public statement was released the day after the Yahoo security breach, with this statement given to explain the breach.
Public Statement on Yahoo Security Breach
“We confirm that an older file from Yahoo Contributor Network… containing approximately 450,000 Yahoo and other company users’ names and passwords was compromised yesterday.
Of these, less than 5% of the Yahoo accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose user accounts may have been compromised.”
With this data, it is believed that most of the passwords stolen in the Yahoo security breach were invalid, due to the fact that the folder stolen was out of date. However; many users are still at risk, as is the Yahoo website. Yahoo has said that any users whose accounts might be compromised will be notified via email.
Stolen Passwords Still Available Online
If you are a Yahoo Voices member, security specialists suggest that you change your password, even if you have not received a warning message from Yahoo. The passwords and data stolen were originally made available via a Ukraine website, the website is now offline after being available for nearly four days. While the site is now down, copies of the stolen passwords have been made available through popular torrent sites where anyone can download them. Failing to use cryptography on stored passwords could be a sign of laziness, but experts report that it is extremely dangerous to store any sort of password without encrypting it, and that even basic, free sites that you can set up yourself will generally encrypt a password automatically. Not only were the passwords stored poorly, but the security measures taken were lacking to the extreme.
Ramifications of the stolen passwords are even potentially far more dangerous than allowing hackers access to Yahoo Voices accounts. Many of the users on the site were required to sign up to the site by allowing it access to their email account, meaning that passwords on Yahoo Voices are shared with your email.
Security company Eset released a statistical blog about the Yahoo security breach, stating that while most of the emails and passwords stolen were from yahoo.com, they also include Gmail, aol.com and more. The statistics also read that many of the passwords include unsafe, commonly used words such as 123456, password, welcome, ninja, abc123, 123456789, 12345678, sunshine, princess, and qwerty which can easily be hacked. If you use this type of password, please attempt to change it into something more secure. You can read the blog update about the Yahoo Security Breach here.
D33D Hacker Group Responsible For Theft
According to the U.S. Internet Security firm, TrustedSec who are in charge of the theft, the little known hacking group D33D were responsible for the theft. They are believed to have used SQL injection, (one of the most common security theft methods which uses rogue coding to steal important data). In fact, SQL injection was the same method used in the 2011 Sony security breach that affected millions of users.
TrustedSec has also released the news that apparently the nearly 450,000 passwords stolen from Yahoo were not encrypted in any way, a very alarming problem, especially if other passwords on the site are not encrypted as well. Non-encrypted passwords means that anyone can read them and therefore access your site, which is extremely alarming when the site contains access to personal data including payment methods and credit card information as well as the full address of users.
Yahoo maintains their belief that only about 5% of passwords stolen were viable, and that most users will not be affected. However; they do recommend that you change your passwords, especially if you use similar passwords on all of your sites.
The Yahoo security breach occurred only a few weeks after FormSpring disabled several hundred thousand user passwords due to a security breach, and only a month after Linkedin reported a 6.5 million password security breach.
For anyone accessing online sites, it is recommended that you change passwords every six months, and that you use different passwords on each site.