Yahoo has confirmed that over 400,000 accounts were compromises and passwords and usernames stolen.
The confirmation from Yahoo came hours after the hackers behind the attack had posted the stolen data online. The attack breached the Yahoo voices service, which is a user-generated content portal which was formally known as Associated Content.
In a statement, Yahoo said: "We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11."
The statement goes on to say that just 5 percent of the accounts had valid passwords associated with them as the file stolen was an old one. Yahoo is still trying to fix the vulnerability which allowed the hacked to use a union-based SQL injection which preys on poorly secured web applications which do not scan data entered into input fields, such as a search box, properly.
Rob Rachwald, security expert from Imperva said this problem could have been avoided if Yahoo had paid attention to previous, similar attacks. "Sadly, this breach highlights how enterprises continue to neglect basic security practices. One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide."
The stolen data was stored unencrypted, in plain text, a practice which has raised a lot of concerns within the security industry. Despite this obvious problem, Yahoo's statement opened with the line: "At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products."
Rachwald points out that the database stored the passwords in encrypted and clear text versions, rendering the encryption useless. However it was not just the usernames and password which were stolen, the hackers also gained access to personal information like full name, full address, phone number, bio, education, and date of birth.
David Emm, security expert with Kaspersky Labs isn't as convinced as the company itself about Yahoo's focus on security: "The fact that the site's database contained unencrypted passwords is a real cause for dismay. We would recommend that those with a Yahoo! Voice account take the precaution of changing their password immediately."
Sucuri Malware Labs has already created a script which allows you check if your email address has been breached.
Many people use the same password for multiple online accounts and cyber criminals could use the information from this attack to compromise other more sensitive accounts.
"This brings with it the risk that a compromise of one account puts all their accounts at risk. We would urge everyone to use a unique, complex password for all online accounts, i.e. one that is at least eight characters and mixes letters, numbers and symbols," Emm advises.
Analysis of the passwords posted online by the hackers has been carried out by Ander Nilsson, CTO at Eurosecure, and revealed that official military and government email addresses were among those used to set up Yahoo Voices accounts.
Yahoo Statement in full:
"At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday,July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."