Yahoo plays down size of password breach

Password protection

Search giant Yahoo claims less than five per cent of the login details posted online by hackers this week had valid passwords. As reported by IT Pro yesterday, the usernames and passwords of 453,491 members of the firm's content sharing site, Yahoo Voices, were posted online by hacking group D33Ds.

The group are understood to have employed a Union-based SQL injection attack to obtain the data.

US security site TrustedSec noted in a blog earlier this week that Gmail and Aol email addresses were also contained in the hacking group's post.

Yahoo has since confirmed the authenticity of the data in a statement and blamed the leak on an unspecified vulnerability.

"We confirm that an older file...containing approximately 450,000 Yahoo and other company user names and passwords were compromised [on] 11 July," said the statement.

"Of these, less than five per cent of the Yahoo accounts had valid passwords."The company is contacting affected users and changing their passwords, the statement added.

"We apologise to all affected users [and] encourage users to change their passwords on a regular basis," it concluded.

However, while Yahoo seem intent on playing down the size and impact of the breach, security vendor Imperva said the hackers may have obtained more than just passwords and usernames.

"The usernames and passwords seem to be obsolete, but the published filed suggests that the hackers gained access to the whole database and were able to view some private data [belonging to these] 450,000 users," said Rob Rachwald, director of security strategy at Imperva.

"To add insult to injury, the passwords were stored in clear text and not encoded. [You would have thought] the recent LinkedIn breach would have encouraged change, but no. This episode will only inspire hackers worldwide."

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.