The hacker group D33ds Company has claimed responsibility for attacking a Yahoo service via a union-based SQL injection and exposing 453,492 plain text login credentials.
Yahoo was investigating the claims of accounts being compromised. To be on the safe side, the Web giant urged its users to change their passwords on a regular basis. Now, Yahoo has confirmed the breach.
“At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products,” a Yahoo spokesperson said in a statement obtained by TechCrunch. “We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”
The most important part of this confirmation is that the swiped file is “old” and Yahoo believes less than 5 percent of the credentials are valid. This means less than 22,500 users are affected by this breach, according to Yahoo anyway.
Hopefully some of them have already changed their passwords. In fact, if you have a Yahoo account, you should change your password, just to be on the safe side. Furthermore, if you use the same e-mail address and password combination elsewhere, you should change it there as well.
It’s also worth noting that Yahoo Voices, the purported service that the accounts were used for, is not explicitly mentioned. It’s all one and the same: Yahoo Voices is the name that consumers see, Yahoo Contributor Network is what the company refers to it internally, and Associated Content is what the service was called when Yahoo acquired it in 2010.